From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Unbound configuration switch "ignore-cd-flag" Date: Tue, 30 Oct 2018 15:50:58 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3077926219482916653==" List-Id: --===============3077926219482916653== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey, sounds like a sensible proposal, but the help text says that Windows Server 2= 008 won't be able to resolve names any more. That is breaking quite a lot. -Michael On Tue, 2018-10-30 at 15:51 +0100, Peter M=C3=BCller wrote: > Hello *, >=20 > while doing some research about DNS tunnelling, I stumbled across this > Unbound configuration directive: "ignore-cd-flag" >=20 > It is set to "no" as a default value, allowing DNSSEC validation bypass: >=20 > > user(a)machine:~> dig soa +cd dnssec-failed.org > >=20 > > ; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844 > > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > >=20 > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;dnssec-failed.org. IN SOA > >=20 > > ;; ANSWER SECTION: > > dnssec-failed.org. 8092 IN SOA dns101.comcast.org. > > dnsadmin.comcast.net. 2010101935 900 180 604800 7200 > >=20 > > ;; Query time: 1198 msec > > ;; SERVER: 10.[REDACTED]#53(10.[REDACTED]) > > ;; WHEN: Tue Oct 30 15:49:53 CET 2018 > > ;; MSG SIZE rcvd: 117 > >=20 >=20 > I consider this being a security risk and would like to set this > value to "yes" in IPFire. >=20 > Thoughts? Opinions? >=20 > Thanks, and best regards, > Peter M=C3=BCller --===============3077926219482916653==--