[dns-operations] unbound-bind chain causing validation failures on synthesized records

Casey Deccio casey at deccio.net
Mon Jul 9 19:35:49 UTC 2012

On Mon, Jul 9, 2012 at 12:18 PM, Paul Wouters <paul at cypherpunks.ca> wrote:

> when forwarding unbound to a bind instance with dnssec support enabled,
> but dnssec validation disabled, and when querying for a wildcard instance
> (eg foo.fedorapeople.org), bind's reply to unbound is not satisfactory to
> unbound. It seems unbound is expecting an NSEC/RRSIG over the NS record
> set in the authority section, and marks the result bogus:
> It is not entirely clear to me if this is a bind or unbound bug.
> This can be simply reproduced by running bind 9.9.1 (or 9.8.x) using:
I've experienced this as well.  A DNSSEC aware, non-validating BIND
resolver does not return NSEC(3) RRs for responses containing expanded
wildcards.  If you turn on validation, it returns NSEC RRs just fine.  Any
validating resolvers (including other BIND resolvers) using the
non-validating BIND resolver recursively cannot validate wildcard
responses.  I thought I had reported this issue to bind9-bugs many months
ago, but I can't seem to find any record of it in my email...  I also can't
find my sunglasses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120709/ee91ca86/attachment.html>

More information about the dns-operations mailing list