Hey,

sounds like a sensible proposal, but the help text says that Windows Server 2008
won't be able to resolve names any more. That is breaking quite a lot.

-Michael

On Tue, 2018-10-30 at 15:51 +0100, Peter Müller wrote:
> Hello *,
> 
> while doing some research about DNS tunnelling, I stumbled across this
> Unbound configuration directive: "ignore-cd-flag"
> 
> It is set to "no" as a default value, allowing DNSSEC validation bypass:
> 
> > user(a)machine:~> dig soa +cd dnssec-failed.org
> > 
> > ; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844
> > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> > 
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ;; QUESTION SECTION:
> > ;dnssec-failed.org.		IN	SOA
> > 
> > ;; ANSWER SECTION:
> > dnssec-failed.org.	8092	IN	SOA	dns101.comcast.org.
> > dnsadmin.comcast.net. 2010101935 900 180 604800 7200
> > 
> > ;; Query time: 1198 msec
> > ;; SERVER: 10.[REDACTED]#53(10.[REDACTED])
> > ;; WHEN: Tue Oct 30 15:49:53 CET 2018
> > ;; MSG SIZE  rcvd: 117
> > 
> 
> I consider this being a security risk and would like to set this
> value to "yes" in IPFire.
> 
> Thoughts? Opinions?
> 
> Thanks, and best regards,
> Peter Müller