Jan Včelák <[email protected]> wrote:
>
> After inspecting responses from BIND and Unbound, I belive this is
> caused by BIND adding a NS RRs without a RRSIG added into the authority
> section of the answer.
> I don't know why BIND is adding the NS into the answer. But I think this
> is really a problem of BIND, as per
> http://tools.ietf.org/html/rfc4035#section-3.1.1:
>
> > o When placing a signed RRset in the Authority section, the name
> > server MUST also place its RRSIG RRs in the Authority section.
> > The RRSIG RRs have a higher priority for inclusion than any other
> > RRsets that may have to be included. If space does not permit
> > inclusion of these RRSIG RRs, the name server MUST set the TC bit.
I think you are right it is a bug in BIND. I also think Unbound should
discard the incomplete RRset rather than failing to return a response.
It looks like the bug in BIND is due to a combination of an unsigned NS
RRset that came from a referral, and validation turned off. I can't
reproduce the bug with my validating resolvers with a normal query but it
does occur if I set the CD bit.
Are you going to send this in to [email protected] or would you like me
to do it?
Tony.
--
f.anthony.n.finch <[email protected]> http://dotat.at/
Viking, North Utsire: Northerly 5 or 6, decreasing 4, backing southwesterly 4
or 5 later. Rough, becoming moderate. Wintry showers, rain later. Mainly good.
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
