Maintained by: NLnet Labs

[Unbound-users] Forwarding failing when DNSSec is enabled

Leen Besselink
Thu Jul 2 17:05:53 CEST 2009


On Thu, Jul 02, 2009 at 04:57:01PM +0200, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/02/2009 04:54 PM, Leen Besselink wrote:
> > Does this information help?
> > 
> >> Yes, it does take away my uncertainty about if I understand correctly how DNSSEC works.
> >> It's not possible for Unbound to ask the forwarded for the specific record (I think it's something like KEY) ?
> >> Or would a forwarder strip that also ?
> >> Or would all these extra requests delay the whole thing far to much and is that a good reason not do it ?
> 
> The problem is that the signature should be kept with the data.  If you
> ask for the signature and data separately you do not know if they match.
> In fact they may very well be from different versions of the zone,
> therefore in DNSSEC the signatures are sent together with the data.
> 

Ohh, ofcourse, now I understand they could otherwis be from different
nameservers with different versions of the zone or from the same
nameserver but the zone was recently changed.

Thank you for your time, that makes things a lot clearer.

> It would also be slower, yeah.
> 
> Best regards,
>    Wouter
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkpMyr0ACgkQkDLqNwOhpPgwFgCfdBeAs6tsziYOLo5Hd5RGd8PB
> tl8An1CCleFMMQwBukOCAEgMNJT6QjK8
> =0zdg
> -----END PGP SIGNATURE-----
> 
_____________________________________
New things are always on the horizon.