Allow response with AD bit in resolver
Kirill A. Korinsky
kirill at korins.ky
Mon Jun 17 22:18:19 UTC 2024
Greetings,
On Mon, 17 Jun 2024 19:08:22 +0100,
J Carter <jordanc.carter at outlook.com> wrote:
>
> It's caused by DNS Cache poisoning (either intentionally, or
> unintentionally), from a recursive resolver that caches CD bit but
> does not zero it if a non dns-sec query hits that cached response.
>
> I see unbound also has a ticket open for this:
> https://github.com/NLnetLabs/unbound/issues/649
I just tried it on my laptop where I use local libunbound-based resolver,
and I can't reproduce it:
~ $ dig +short sigfail.verteiltesysteme.net @127.0.0.1
~ $ dig +cd +short sigfail.verteiltesysteme.net @127.0.0.1
sigfail.rsa2048-sha256.ippacket.stream.
195.201.14.36
~ $ dig +short sigfail.verteiltesysteme.net @127.0.0.1
Thus, I've tried unbound 1.18 and 1.20 as well with the same result.
But anyway, I suggest you offer a ptach because it can be quite painful for LB.
--
wbr, Kirill
More information about the nginx
mailing list