Bug 1216 - Disable DNSSEC, DO Flag
Disable DNSSEC, DO Flag
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.6.0
x86_64 Linux
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-07 18:55 CET by Andrew
Modified: 2017-02-08 08:26 CET (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew 2017-02-07 18:55:16 CET
I have a case, where I don't want to use DNSSEC (crazy fool you say!).

libunbound with no trust anchor and only the iterator module enabled, still makes queries with the DO flag enabled. This is an issue for my niche use case (+ bug #715).

Beyond the obvious fact this doesn't really cause an issue for the majority of people, it feels really odd to be asking for data, that is going to be ignored when it's known not to be required as there is no validator module.
Comment 1 Wouter Wijngaards 2017-02-08 08:26:12 CET
Hi Andrew,

The DNSSEC support cannot be turned off in Unbound.  It always fetches signatures and DNSSEC data, in case a downstream (client or validator) needs them.

If you want to make 'weird queries' from your application, perhaps you are looking to use libldns (also from us, www.nlnetlabs.nl) that allows you to build arbitrary query packets and send them.

What is the issue with the DO flag?  If no DNSSEC is used by the domain, then no DNSSEC information is returned?  It should not be a problem to set this flag (it means 'the receiving server understands DNSSEC records you do not have to omit them').

Best regards, Wouter