[Pdns-users] DNSSEC, pdns-recursor and libunbound

leen at consolejunkie.net leen at consolejunkie.net
Fri Apr 24 21:07:46 UTC 2015

On 2015-04-24 21:35, Michael Ströder wrote:
> Michael Ströder wrote:
>> We're currently testing DNSSEC validation with libunbound 1.5.3 with 
>> all the RRs
>> retrieved through a pdns-recursor (also tested 3.7.2).
>> It seems that
>> 1. libunbound does not explicitly retrieve the RRSIG RRs and
>> 2. pdns-recursor does not return them when not explicitly request 
>> (qtype ANY).
>>     (Explicitly requesting RRSIG works.)
>> => validation in libunbound fails
> Did further testing with python-unbound (thin wrapper module on top
> of libunbound) with simple script almost equal to this:
> http://www.unbound.net/documentation/pyunbound/examples/example4.html
> Looking at PCAP dumps with Wireshark the requests sent by libunbound
> contain the D0 bit:
> 1... .... .... .... = DO bit: Accepts DNSSEC security RRs
> It seems to me that unbound and Google's therefore return
> RRSIG RRs while pdns-recursor does not.
> I have to admit that looking at [1] rather confuses me. ;-)
> Sniffing the out-going requests sent by pdns-recursor the D0 bit is
> missing. Obviously the DNS servers then do not respond with RRSIG 
> RRs.
> Ciao, Michael.
> [1] http://tools.ietf.org/html/rfc4035#section-3.2.1

Hi Michael,

It's to bad nobody replied to you yet.

Let me tell how it is:

The DO-bit in the request to the recursor means: please include DNSSEC 

Then if the recursor you are requesting it from does validation and it 
fails it will return an error similar to domain not found.

If it doesn't do any DNSSEC validation it will just return the reply it 
got from an authoritative server.

If the domain has DNSSEC-information and the recursor does validation 
and it was correct it will set the AD-bit in the response.

So a non-validating recursor will never set the AD-bit.

Now let's take your set up with Unbound-recursor forwarding to the 

A recursor like Unbound when it does validation it needs the 
DNSSEC-information, so it will request it from the PDNS-recursor it
forwards the requests to (D0-bit set).

PDNS-recursor doesn't yet support DNSSEC, so it will reply without 
including any DNSSEC-information.

Thus Unbound can't do any validation and it will thus fail all 
requests. Thus from Unbound you'll end up with answers: domain not 

The PowerDNS developers did want to put time in it, they've talked 
about it a couple of times, for example this blog post:


If I understand correctly the PowerDNS developers have put in some of 
the time to add DNSSEC to their recursor but it isn't done yet.

In the past I've requested from the PowerDNS developers, would it be 
possible to at least include the DNSSEC-information so Unbound do the 

I told them you can leave the validation out of PowerDNS-recursor, I 
care less about that.

The answer I got was:

The validation is in comparison the easy part, changing the recursor to 
return the DNSSEC-information is more work.

So now you know.

Have a good weekend,

More information about the Pdns-users mailing list