Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Rick van Rein
Mon Jan 13 16:56:05 CET 2014

Hello Oliver,

>> 2. I think the recursive resolver is the ultimate place to implement insisting on DNSSEC; using an overloaded bit to do it elsewhere somewhat scares me.
> Why does this scare you?  If you don't trust the AD bit from your
> DNSSEC validating resolver - why trust the response at all?

Agreed, so this is not why I said it.

The AD bit has changed meaning over time, and is therefore more dynamic than I’d care to let any an admin encode in firewall rules.  Also, the firewall would have to produce a DNS response (if it is not to cause a slowing-down timeout) and that’s always tricky in firewalls.  Keep in mind that I’m trying to avoid that apps need to be reprogrammed — so it’s all up to filtering as far as I can tell.

My conclusion is that doing this at the protocol level is tricky and hairy.  This is due to the fact that DNS has rather… evolved… ways of coding information.  In a resolver on the other hand, the information is present in very, very clear form.  So this is the best possible place for filtering.

> Perhaps DNS is not the right thing for your application.

Neither are /etc/hosts and /etc/krb5.conf I fear ;-)

I’d like to trust the signed portion of DNS, and build security systems on top of that.  So the _old_ DNS isn’t the right thing for the applications I have in mind.

> Unbound has been released unter the BSD license which means you are
> free to svn checkout the sources and hack, hack, hack.

That’d only help me, but make it pretty hard to reproduce procedures on other platforms.  So no, I’d love this to be on the mainstream agenda.  This is why I’m proposing it here — to see if there’s traction.