Hello *,

while doing some research about DNS tunnelling, I stumbled across this
Unbound configuration directive: "ignore-cd-flag"

It is set to "no" as a default value, allowing DNSSEC validation bypass:

> user(a)machine:~> dig soa +cd dnssec-failed.org
> 
> ; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;dnssec-failed.org.		IN	SOA
> 
> ;; ANSWER SECTION:
> dnssec-failed.org.	8092	IN	SOA	dns101.comcast.org. dnsadmin.comcast.net. 2010101935 900 180 604800 7200
> 
> ;; Query time: 1198 msec
> ;; SERVER: 10.[REDACTED]#53(10.[REDACTED])
> ;; WHEN: Tue Oct 30 15:49:53 CET 2018
> ;; MSG SIZE  rcvd: 117
> 

I consider this being a security risk and would like to set this
value to "yes" in IPFire.

Thoughts? Opinions?

Thanks, and best regards,
Peter Müller
-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq