How to disable DNSSEC validation

Tomas_Hozza · December 4, 2013, 12:57pm

Hi.

I would like to ask if there is any way how
can I disable the DNSSEC validation for ALL
domains using unbound-control?

I know it can be done by changing the
"module-config". However I need to do it
just by calling unbound-control during
the runtime.

I tried:
# unbound-control insecure_add .
# unbound-control flush_zone .

But unbound is still validating.

Thanks in advance for your help.

Regards,
Tomas Hozza

Wouter · December 4, 2013, 1:23pm

Hi Tomas,

You can set permissive mode at runtime (val-permissive-mode: yes).
Another way may be to edit the config file; and remove the trust
anchors and reload it.

(there is even documentation for this:
http://unbound.net/documentation/howto_turnoff_dnssec.html )

Best regards, Wouter

Tomas_Hozza · December 4, 2013, 3:02pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tomas,

You can set permissive mode at runtime (val-permissive-mode: yes).
Another way may be to edit the config file; and remove the trust
anchors and reload it.

Setting val-permissive-mode to yes unsing unbound-control during
the runtime does not work.

root@thozza-pc /home/thozza
# dig @127.0.0.1 www.dnssec-failed.org

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-11.P2.fc19 <<>> @127.0.0.1 www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27325
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 04 15:55:23 CET 2013
;; MSG SIZE rcvd: 50

root@thozza-pc /home/thozza
# unbound-control get_option val-permissive-mode
no
root@thozza-pc /home/thozza
# unbound-control set_option val-permissive-mode: yes
ok
root@thozza-pc /home/thozza
# unbound-control flush_zone .
ok removed 209 rrsets, 214 messages and 10 key entries
root@thozza-pc /home/thozza
# dig @127.0.0.1 www.dnssec-failed.org

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-11.P2.fc19 <<>> @127.0.0.1 www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47988
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; Query time: 3826 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 04 15:56:08 CET 2013
;; MSG SIZE rcvd: 50

root@thozza-pc /home/thozza
# unbound-control get_option val-permissive-mode
yes

(there is even documentation for this:
http://unbound.net/documentation/howto_turnoff_dnssec.html )

I know, but the 'val-permissive-mode' is not listen in the
unbound-control man page as supported option when using
set_option command.

I guess there is no other way, but to change the unbound.conf
and reload the server.

Regards,

Tomas Hozza