Maintained by: NLnet Labs

How to force resolution failure of an unsigned domain

Benny Pedersen
Wed Apr 5 17:17:03 CEST 2017


Daisuke HIGASHI via Unbound-users skrev den 2017-04-05 15:23:

> For your information you can configure BIND9 to accept
> secure (DNSSEC validated) response only:
> 
>  options {
>     dnssec-must-be-secure . yes;
>  };
>  managed-keys { .... };
> 
> With this configuration you can resolve signed (secure) domain only:
> 
>  $ dig @::1 unbound.net +short
>  185.49.140.10

>  $ dig @::1 isc.org +short
>  149.20.64.69

works as designed then, it protect you from using these ips blindly

> But you won't be able to reach all unsigned (insecure) domain, as
> Wouter pointed out:

when domains is not dnssec, you cant enforce dnssec without any risk of 
not see results as expected

>  $ dig @::1 yahoo.com
>  ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46417

https://dane.sys4.de/smtp/yahoo.com

>  $ dig @::1 google.com
>  ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63482

https://dane.sys4.de/smtp/google.com

>  $ dig @::1 twitter.com
>  ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7986

https://dane.sys4.de/smtp/twitter.com


i know dane is not meant to be used here, it just good source to confirm 
that its not your unbound not working :=)

funny enough yahoo google twitter are all using dkim signed mails, whats 
there point with it :/