public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Unbound configuration switch "ignore-cd-flag"
Date: Tue, 30 Oct 2018 15:50:58 +0000	[thread overview]
Message-ID: <fdd3d911df609d3b0b57601e938391690cc95915.camel@ipfire.org> (raw)
In-Reply-To: <ff485f32-0205-e05e-9d29-8d49363faff1@link38.eu>

[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]

Hey,

sounds like a sensible proposal, but the help text says that Windows Server 2008
won't be able to resolve names any more. That is breaking quite a lot.

-Michael

On Tue, 2018-10-30 at 15:51 +0100, Peter Müller wrote:
> Hello *,
> 
> while doing some research about DNS tunnelling, I stumbled across this
> Unbound configuration directive: "ignore-cd-flag"
> 
> It is set to "no" as a default value, allowing DNSSEC validation bypass:
> 
> > user(a)machine:~> dig soa +cd dnssec-failed.org
> > 
> > ; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844
> > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> > 
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;dnssec-failed.org.		IN	SOA
> > 
> > ;; ANSWER SECTION:
> > dnssec-failed.org.	8092	IN	SOA	dns101.comcast.org.
> > dnsadmin.comcast.net. 2010101935 900 180 604800 7200
> > 
> > ;; Query time: 1198 msec
> > ;; SERVER: 10.[REDACTED]#53(10.[REDACTED])
> > ;; WHEN: Tue Oct 30 15:49:53 CET 2018
> > ;; MSG SIZE  rcvd: 117
> > 
> 
> I consider this being a security risk and would like to set this
> value to "yes" in IPFire.
> 
> Thoughts? Opinions?
> 
> Thanks, and best regards,
> Peter Müller


      reply	other threads:[~2018-10-30 15:50 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-30 14:51 Peter Müller
2018-10-30 15:50 ` Michael Tremer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fdd3d911df609d3b0b57601e938391690cc95915.camel@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox