[Pdns-users] DNSSEC, pdns-recursor and libunbound
michael at stroeder.com
Fri Apr 24 19:35:58 UTC 2015
Michael Ströder wrote:
> We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs
> retrieved through a pdns-recursor (also tested 3.7.2).
> It seems that
> 1. libunbound does not explicitly retrieve the RRSIG RRs and
> 2. pdns-recursor does not return them when not explicitly request (qtype ANY).
> (Explicitly requesting RRSIG works.)
> => validation in libunbound fails
Did further testing with python-unbound (thin wrapper module on top of
libunbound) with simple script almost equal to this:
Looking at PCAP dumps with Wireshark the requests sent by libunbound contain
the D0 bit:
1... .... .... .... = DO bit: Accepts DNSSEC security RRs
It seems to me that unbound and Google's 126.96.36.199 therefore return RRSIG RRs
while pdns-recursor does not.
I have to admit that looking at  rather confuses me. ;-)
Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing.
Obviously the DNS servers then do not respond with RRSIG RRs.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
More information about the Pdns-users