Allow response with AD bit in resolver
Kirill A. Korinsky
kirill at korins.ky
Sun Jun 16 09:07:28 UTC 2024
On Sun, 16 Jun 2024 02:45:15 +0100,
J Carter <jordanc.carter at outlook.com> wrote:
>
> Sounds familiar :)
>
> https://mailman.nginx.org/pipermail/nginx-devel/2022-May/YQ3MYP4VNQYWEJS3XYLPMU4HZUKS4PYF.html
Unfortunately, the AD bit is set by the libunbound-based resolver when it is
configured to use an upstream forwarder that also supports security.
My guess is that unbound uses itself as DNS client in this case and set such
bit to request to the upstream.
Probably it can be fixed in unbound / libunbound, but such behavior exists
right now and affects many different devices...
Thus, RFC 6840 suggested to set such bit when a request has one, but not
required, which means that current logic of libunbound RFC complaint, and
nginx is violating by rejecting such a request.
--
wbr, Kirill
More information about the nginx
mailing list