Maintained by: NLnet Labs

[Unbound-users] Forwarding failing when DNSSec is enabled

W.C.A. Wijngaards
Thu Jul 2 16:57:01 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/02/2009 04:54 PM, Leen Besselink wrote:
> Does this information help?
> 
>> Yes, it does take away my uncertainty about if I understand correctly how DNSSEC works.
>> It's not possible for Unbound to ask the forwarded for the specific record (I think it's something like KEY) ?
>> Or would a forwarder strip that also ?
>> Or would all these extra requests delay the whole thing far to much and is that a good reason not do it ?

The problem is that the signature should be kept with the data.  If you
ask for the signature and data separately you do not know if they match.
In fact they may very well be from different versions of the zone,
therefore in DNSSEC the signatures are sent together with the data.

It would also be slower, yeah.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkpMyr0ACgkQkDLqNwOhpPgwFgCfdBeAs6tsziYOLo5Hd5RGd8PB
tl8An1CCleFMMQwBukOCAEgMNJT6QjK8
=0zdg
-----END PGP SIGNATURE-----