Does unbound ignore unsigned replies from a signed zone?

User free.sites at gmx.net
Mon May 20 18:21:55 CEST 2019


Hi!

Thanks for your prompt answer. Well, the original post is here:
https://www.snbforums.com/threads/preview-asuswrt-merlin-384-11-with-dns
-over-tls.56095/page-26#post-484685

It's about the Cloudflare security-test website
https://www.cloudflare.com/ssl/encrypted-sni/ that reports "You may not
be using secure DNS" for some users although those users expect another
result. And the original poster brought up that statement about unbound
missing a strict DNSSEC mode ... what then confused me because it
sounded like there is something wrong with unbound what I liked to be
clarified. :hehe: I use unbound on my Raspberry Pi, with DoT upstream
servers (port 853 and tls authentication).

In the end they agreed upon the Cloudfare test site being buggy (compare
https://www.snbforums.com/threads/preview-asuswrt-merlin-384-11-with-dns
-over-tls.56095/page-30#post-485000). However, that statement about
unbound allegedly missing something like a strict dnssec mode (that
dnsmasq and stubby are claimed to have) has been haunting my mind, but
maybe I mix things up ... I'm a DNS newbie.

Best regards








More information about the Unbound-users mailing list