Maintained by: NLnet Labs

How to force resolution failure of an unsigned domain

W.C.A. Wijngaards
Mon Apr 3 14:47:45 CEST 2017


Hi Sen Dion,

This is not needed.  Unbound can keep apart unsigned domains and domains
where the crypto fails or is missing.  This is a feature of DNSSEC,
where there is a signature over data that says the domain is unsigned.
So the user can trust the absence of the ad flag (and the data is then
insecure, but we know securely that it could arrive without signatures).

Best regards, Wouter

On 02/04/17 21:07, Sen Dion via Unbound-users wrote:
>    Hello Everybody,
> 
> It looks like there is an assumption that it is an application 
> responsibility to get user consent before accessing an unsigned domain 
> (whenever 'ad' flag is not set).  AFAIK, that is not the case: majority 
> of applications is not 'ad' flag aware.
> 
> 
> How to prevent accesses to unsigned domains from these applications?  Is 
> there a way to force resolution failure (in unbound) for an unsigned 
> domain?
> 
>    Regards,
>    Sen Dion
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170403/8860e57a/attachment.sig>