Hi, It would be nice if the new „forward-first“ option in unbound would be able to switch over to direct query not only in case the forwarder does not respond but also when the response is not correctly validated.
The problem is that I am using unbound locally on my laptop to ensure all DNS traffic is validated. It works great when unbound is doing all the recursion. But it is quite inelegant solution with low scalability. But when I set up forwarding "." zone to DHCP-assigned DNS forwarders, it often starts to behave strange. Not only that some old DNS forwarders strips DNSSEC data rendering trust anchor invalid, there is also a problem with forwarding wildcard DNS querys to BIND 9.7 or 9.8. I have set up a test page, showing your DNSSEC validator status, fell free to test your resolver setup: http://0skar.cz/dns/en/ It would be nice if unbound would be able to fallback to direct recursion if forwarded data fails to validate. Using external solution like dnssec-trigger cannot solve the problem well, since there are so many affected resolvers out there, so dnnsec-trigger would fall back to some tunneling setup virtally all the time. Using proper forward-first, it would be possible to use (even broken) forwarders most of the time, and switch to „full recursion mode“ only in case validation fails. Cheers, Ondřej Caletka _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
