When a local application queries Unbound for a domain that is secured by DNSSEC and the answer from the forwarder fails validation, I would expect Unbound to reply with an error. Instead it doesn't reply at all and the application times out. $ time dig www.rhybar.cz ; <<>> DiG 9.9.3-P2 <<>> www.rhybar.cz ;; global options: +cmd ;; connection timed out; no servers could be reached real 0m15.024s user 0m0.000s sys 0m0.000s The www.rhybar.cz is a testing domain run by CZ.NIC that can be used for checking the client side behavior when the answers fail DNSSEC validation. We need to check the RFCs for correct behavior. But a timeout doesn't seem to be a nice solution for local applications and for users.
From what I tested BIND-9.9.4 returns SERVFAIL for the same domain, since its RRSIG is intentionally wrong.
I can't reproduce that: paul@bofh:~$ sudo systemctl restart unbound.service paul@bofh:~$ time dig www.rhybar.cz @localhost ; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-14.P2.fc19 <<>> www.rhybar.cz @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10229 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.rhybar.cz. IN A ;; Query time: 992 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Feb 21 10:16:41 EST 2014 ;; MSG SIZE rcvd: 42 real 0m1.008s user 0m0.014s sys 0m0.002s
OK, moved upstream with more details about tested version: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=566
I would like to track this upstream change getting into Fedora 20.
I'm afraid this is not the bug report I wanted to work with.