Maintained by: NLnet Labs

[Unbound-users] local-data in combination DNSSEC signed zones

Marco Davids (SIDN)
Tue Oct 12 14:09:16 CEST 2010


Hello,

I conducted a small test with the cool 'local-data' feature of Unbound
in combination with a signed zone. It seems to work, be it in an
'insecure' way for the 'local-data'.

My intuition tells me I might be doing something unnatural here, off
which I might not completely oversee the consequences.

Basically what I am wondering is if anyone has an opinion on this? I am
not exactly sure what think of it.

For example, Windows 7 has a policy-option in the “Name Resolution
Policy Table” to demand DNSSEC for certain domains (never actually tried
it):

https://www.dnssec.nl/pipermail/dnssec/attachments/20100120/ab304386/attachment-0001.png

You get the picture; When 'local-data' is used, Unbound might return
insecure answers, with no 'ad'-flag set, for a zone that is expected to
be secure.

I guess the way it works now is the best way to go, so I am not
advocating any changes here. Just wondering about other people's opinion
on this.

Regards,

-- 
Marco