Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Rick van Rein
Sun Jan 12 00:00:01 CET 2014

Hello Anand,

>> Am I correct that Unbound cannot require DNSSEC validation for its
>> resolution?
> […] Of course, if a
> zone is not signed, then there's nothing to validate.

In that case, I would prefer not delivering the records.  This is different from everyday use of DNS.  However, for the applications I mentioned this could make good sense.

I can imagine having different resolvers in a network, or perhaps different views on one resolver, where the hardcore security apps receive NXDOMAIN or Bogus or something similar if DNSSEC is not present while your everyday silly app (browser, gopher, ping6) do receive their answers.  It is likely that the hardcore security apps would want to have a local Unbound instance running to avoid influence when the LAN is crossed.

> Additionally, a
> user can send a query with the CD flag set, and then unbound will send
> results, even if validation failed.

Quite the opposite direction of where I’d like to move ;-

> Are you suggesting that unbound ignore the CD flag? Or are you asking
> for something else?

I *think* I am asking for something new — namely, to insist on presence of DNSSEC and proper validation on it.  In other words, to be able to neglect anything that is not properly signed.