Maintained by: NLnet Labs

How to force resolution failure of an unsigned domain

Daisuke HIGASHI
Wed Apr 5 15:23:53 CEST 2017


Hi Sen,

Python scripting for Unbound may enable your desired function.
   http://unbound.net/documentation/pythonmod/index.html


For your information you can configure BIND9 to accept
secure (DNSSEC validated) response only:

 options {
    dnssec-must-be-secure . yes;
 };
 managed-keys { .... };

With this configuration you can resolve signed (secure) domain only:

 $ dig @::1 unbound.net +short
 185.49.140.10

 $ dig @::1 isc.org +short
 149.20.64.69

But you won't be able to reach all unsigned (insecure) domain, as
Wouter pointed out:

 $ dig @::1 yahoo.com
 ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46417

 $ dig @::1 google.com
 ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63482

 $ dig @::1 twitter.com
 ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7986

-- 
Daisuke Higashi