Maintained by: NLnet Labs

How to force resolution failure of an unsigned domain

Sen Dion
Tue Apr 4 14:47:15 CEST 2017

   Hi Wouter,

Thank you for taking time to provide clarification.

I went step-by-step through [2].  The following spot:
  "Next the resolvers checks the contents of the key. If the key is empty (a so called
   null key) is considered verifiable
   insecure.  The lookup will then proceed as a
   normal DNS lookup."
sounds suspiciously weak from the integrity point of view. 

On the next recursion (to resolve, unbound
may cache the bogus response, as shown in [3].  In turn,
this will allow unsuspecting visitors to happily
supply their deepest banking secrets to the fake site.

The above scenario motivates me to ask the following

- How to prevent accesses to an unsigned name from 

  applications which are not 'ad' flag aware?
- Is there a way to force resolution failure (in unbound)
  for an unsignedname?


[1] Chain of Trust, by R. Gieben[2] See section 3.5 "DNSSEC lookups" in [1].
[3] See section 2.3 "Security" in [1].

   - Sen Dion