Maintained by: NLnet Labs

[Unbound-users] local-data in combination DNSSEC signed zones

Paul Wouters
Tue Oct 12 17:54:18 CEST 2010


On Tue, 12 Oct 2010, Marco Davids (SIDN) wrote:

> I conducted a small test with the cool 'local-data' feature of Unbound
> in combination with a signed zone. It seems to work, be it in an
> 'insecure' way for the 'local-data'.
>
> My intuition tells me I might be doing something unnatural here, off
> which I might not completely oversee the consequences.

> You get the picture; When 'local-data' is used, Unbound might return
> insecure answers, with no 'ad'-flag set, for a zone that is expected to
> be secure.
>
> I guess the way it works now is the best way to go

I don't know about that. unbound is basically serving verifiably false information
without a ServFail and CD bit. I'd say that's probably wrong, and that it should
not allow overriding dnssec data with non-dnssec data. But that's pretty
much a "protocol view" over a "real world view". Though with more and more validating
resolvers out there, and those moving to the endusers, that data will be less
usefull and will get rejected ultimately anyway.

Paul