Hi Leen, I know the guy (Torbjorn Eklov) who wrote the script at test.ipv6.tk so I asked him about the internals. It is a javascript that check if you can reach www.trasigdnssec.se (brokendnssec in Swedish). The domain is deliberately broken; there is a published DS record at the parent but no corresponding DNSKEY at the child. So it has nothing to do with DO flag set or not.
So if you can't resolve www.trasigdnssec.se you are obviously doing validation somewhere. Do you perhaps have a forwarder to something that validates? -S ---------------------------------------------------------------------- Stephan Lagerholm Senior DNS Architect, M.Sc. ,CISSP Secure64 Software Corporation, www.secure64.com Cell: 469-834-3940 > -----Original Message----- > From: [email protected] [mailto:unbound-users- > [email protected]] On Behalf Of Leen Besselink > Sent: Thursday, February 04, 2010 10:46 AM > To: [email protected] > Subject: [Unbound-users] small bug ? > > Hi, > > As someone with more interrest in DNS and DNSSEC than more people, I > tried the following page: > > http://test.ipv6.tk/ > > Now I have an unbound running on my machine, but it does not have > anything configured to do validation. > > But still this page says: > > "Your ISP validates DNSSEC for .se" > > So I tried again with the latest version of unbound and created a > pcap-file to see what was going on. > > And I found out unbound was sending queries with the D0-bit set, but it > isn't configured to actually validate anything. > > Is their a way to turn this off when needed (for example if I'm running > unbound on a laptop and am somewhere with a bad firewall) ? > > Is this a bug or is this on purpose ? > > Just a few questions I came up with while I was typing this. :-) > > Anyway, thank you for creating Unbound. > > Have a nice day, > Leen. > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
