Hello *,
while doing some research about DNS tunnelling, I stumbled across this Unbound configuration directive: "ignore-cd-flag"
It is set to "no" as a default value, allowing DNSSEC validation bypass:
user@machine:~> dig soa +cd dnssec-failed.org
; <<>> DiG 9.11.2 <<>> soa +cd dnssec-failed.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5844 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN SOA
;; ANSWER SECTION: dnssec-failed.org. 8092 IN SOA dns101.comcast.org. dnsadmin.comcast.net. 2010101935 900 180 604800 7200
;; Query time: 1198 msec ;; SERVER: 10.[REDACTED]#53(10.[REDACTED]) ;; WHEN: Tue Oct 30 15:49:53 CET 2018 ;; MSG SIZE rcvd: 117
I consider this being a security risk and would like to set this value to "yes" in IPFire.
Thoughts? Opinions?
Thanks, and best regards, Peter Müller