Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
unbound DNSSEC verification with forwarder
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
totony
n00b
n00b


Joined: 03 Dec 2014
Posts: 40

PostPosted: Mon Feb 29, 2016 6:26 am    Post subject: unbound DNSSEC verification with forwarder Reply with quote

Hi, I'm having trouble making unbound honor the DNSSEC verification of my forwarder.

I use unbound as a local caching forwarder, and my forwarder does DNSSEC validation for me.

When I simply put e.g. 8.8.8.8 (Google's DNS) in /etc/resolv.conf or if I do "dig @8.8.8.8 www.dnssec-failed.org", I see no reply and the status of the DNS reply is set to SERVFAIL due to invalid dnssec validation.

When I change resolv.conf to my local unbound instance, it forwards data to 8.8.8.8, but I receive a normal reply from www.dnssec-failed.org. Is there any way to make unbound send back the reply I get from dig @8.8.8.8 ?

unbound.conf
Code:
server:
   cache-min-ttl: 60
   access-control: 127.0.0.1 allow
   access-control: ::1 allow
   interface: 127.0.0.1
   interface: ::1
   port: 53
   
   chroot: "/etc/unbound"
   username: "unbound"
   
   logfile: "unbound.log"
   module-config: "iterator"
   
   forward-zone:
      name: "."
      forward-addr:8.8.8.8


dig www.dnssec-failed.org
Code:
; <<>> DiG 9.10.3-P2 <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17362
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org.      IN   A

;; ANSWER SECTION:
www.dnssec-failed.org.   6299   IN   A   69.252.193.191
www.dnssec-failed.org.   6299   IN   A   68.87.109.242

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 29 01:21:54 EST 2016
;; MSG SIZE  rcvd: 82


dig @8.8.8.8 www.dnssec-failed.org
Code:
; <<>> DiG 9.10.3-P2 <<>> @8.8.8.8 www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60429
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.dnssec-failed.org.      IN   A

;; Query time: 167 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 29 01:22:55 EST 2016
;; MSG SIZE  rcvd: 50
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum