[Pdns-users] DNSSEC, pdns-recursor and libunbound
Michael Ströder
michael at stroeder.com
Fri Apr 24 19:35:58 UTC 2015
Michael Ströder wrote:
> We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs
> retrieved through a pdns-recursor (also tested 3.7.2).
>
> It seems that
>
> 1. libunbound does not explicitly retrieve the RRSIG RRs and
>
> 2. pdns-recursor does not return them when not explicitly request (qtype ANY).
> (Explicitly requesting RRSIG works.)
>
> => validation in libunbound fails
Did further testing with python-unbound (thin wrapper module on top of
libunbound) with simple script almost equal to this:
http://www.unbound.net/documentation/pyunbound/examples/example4.html
Looking at PCAP dumps with Wireshark the requests sent by libunbound contain
the D0 bit:
1... .... .... .... = DO bit: Accepts DNSSEC security RRs
It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs
while pdns-recursor does not.
I have to admit that looking at [1] rather confuses me. ;-)
Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing.
Obviously the DNS servers then do not respond with RRSIG RRs.
Ciao, Michael.
[1] http://tools.ietf.org/html/rfc4035#section-3.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20150424/c91af8cb/attachment-0001.bin>
More information about the Pdns-users
mailing list