Hello,
I’ve been running unbound 1.6.6 on CentOS7 and noticed that DNSSEC related queries (e.g. DNSKEY) are issued even if the original query requires DNSSEC validation to not be performed (CD flag enabled) . Is it possible to make unbound to not issue those DNSSEC queries without disabling the validator module?
Thanks,
Luca
Hi Luca,
This is not possible. The validator module always tries to validate the records so that they are entered in the cache with the appropriate DNSSEC status.
This also allows for bogus answers to be cached with the configured 'val-bogus-ttl:' (default 60 secs; to prevent repeated revalidation of bogus data) since the TTL from the bogus answer cannot be trusted.
As a side note you could use 'domain-insecure:' for specific zones and that would signal the validator to not attempt validation there (so no DNSKEY queries), but I don't think that is relevant with your question.
Best regards,
-- George