Maintained by: NLnet Labs

How to force resolution failure of an unsigned domain

Sen Dion
Tue Apr 4 14:54:34 CEST 2017


My mail client messed with the new line character
which rendered the previous post less readable.
Please, ignore the previous post, and use this one instead.


   Hi Wouter,

Thank you for taking time to provide clarification.

I went step-by-step through [2].  The following spot:
  "Next the resolvers checks the contents of the
   example.com key. If the key is empty (a so called
   null key) example.com is considered verifiable
   insecure.  The lookup will then proceed as a
   normal DNS lookup."
sounds suspiciously weak from the integrity point of view. 


On the next recursion (to resolve www.example.com), unbound
may cache the bogus response, as shown in [3].  In turn,
this will allow unsuspecting visitors to happily
supply their deepest banking secrets to the fake site.

The above scenario motivates me to ask the following
questions:
- How to prevent accesses to an unsigned name from 
  applications which are not 'ad' flag aware?
- Is there a way to force resolution failure (in unbound)
  for an unsignedname?

Refernces

---------
[1] Chain of Trust, by R. Gieben
    https://www.nlnetlabs.nl/downloads/publications/CSI-report.pdf
[2] See section 3.5 "DNSSEC lookups" in [1].[3] See section 2.3 "Security" in [1].



   Thanks,   - Sen Dion