Bug 746

Summary: Unbound sets CD bit on all forwards
Product: unbound Reporter: la9k3
Component: serverAssignee: unbound team <unbound-team>
Severity: enhancement CC: cathya, wouter
Priority: P5    
Version: 1.5.7   
Hardware: Other   
OS: All   

Description la9k3 2016-03-02 23:09:24 CET
Unbound sets the CD bit for all forwards, making it impossible to relegate validation to another server.

To reproduce:
	num-threads: 1
	cache-min-ttl: 30
	access-control: allow
	port: 53
	chroot: "/etc/unbound"
	username: "unbound"
	logfile: "unbound.log"
	module-config: "iterator"
		name: "."

dig www.dnssec-failed.org (NOERROR)
dig @ www.dnssec-failed.org (SERVFAIL)

An option to set the CD bit on/off or the CD bit automatically off if the validator module is not enabled.

This is fixed by removing the |CD_BIT in iterator.c:1901 processQueryTargets() when the variable outq is assigned. I am not familiar enough with the code to make this an option, nor do I know if this the optimal place to make this change.

Comment 1 Wouter Wijngaards 2016-03-02 23:59:02 CET
Hi la9k3,

Unbound cannot trust the forwarded server, thus communication without CD bit will not give actually secure answers, because communication to and from the forwarded server could have been tampered with.

That is why there is no option for this.

We really want to promote that you validate yourself, i.e. configure a trust anchor and then your local unbound can do the validation on the end-host machine.  Is that an option for you to use?

Another reason why unbound sets the CD option is that it is a server, and if there are other, downstream, validating servers or end-hosts, they must be able to get the full data.

Best regards, Wouter
Comment 2 la9k3 2016-03-03 01:06:01 CET
>Is that an option to you?
It is and it was what I was doing until a while ago, but it is not practical, as my connection to the DNS I am using is very slow (from 200-700ms when CD=0 to 4000s when CD=1 and validator is on).

I use DNS through an encryption channel (dnscrypt), so in this case my connection to the remote server is secure. Moreover, for my usecase, DNS validation is only marginally useful (only for MX integrity) and so the marginal trust I give to my DNS forwarders is enough.

I understand why you prefer to keep it, but do believe setting the CD bit has valid usecases if you only want to provide a caching forwarder. As of now, my choice is to give up security for speed completely (disable validator) or give up speed for security. An in-between would be best.
Comment 3 Wouter Wijngaards 2016-03-17 15:06:19 CET

Fixed code in the code repository.  If there is no dnssec configured, it'll send CD=0 to the forwarder.   If dnssec is configured, it'll CD=0 at first, but retry with CD=1 to get the full infos.

I believe that this should fix your issues?

Best regards, Wouter
Comment 4 Wouter Wijngaards 2016-03-29 09:14:46 CEST
Closing the issue.  If you have observations, please open a new one.
Best regards, Wouter