[Pdns-users] DNSSEC, pdns-recursor and libunbound

Michael Ströder michael at stroeder.com
Fri Apr 24 19:35:58 UTC 2015

Michael Ströder wrote:
> We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs
> retrieved through a pdns-recursor (also tested 3.7.2).
> It seems that
> 1. libunbound does not explicitly retrieve the RRSIG RRs and
> 2. pdns-recursor does not return them when not explicitly request (qtype ANY).
>     (Explicitly requesting RRSIG works.)
> => validation in libunbound fails

Did further testing with python-unbound (thin wrapper module on top of 
libunbound) with simple script almost equal to this:


Looking at PCAP dumps with Wireshark the requests sent by libunbound contain 
the D0 bit:

1... .... .... .... = DO bit: Accepts DNSSEC security RRs

It seems to me that unbound and Google's therefore return RRSIG RRs 
while pdns-recursor does not.

I have to admit that looking at [1] rather confuses me. ;-)

Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. 
Obviously the DNS servers then do not respond with RRSIG RRs.

Ciao, Michael.

[1] http://tools.ietf.org/html/rfc4035#section-3.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20150424/c91af8cb/attachment-0001.bin>

More information about the Pdns-users mailing list