Maintained by: NLnet Labs

Trust rules and DNSSEC signatures

Paul Wouters
Thu Apr 27 18:13:51 CEST 2017



> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users <unbound-users at unbound.net> wrote:
> 
> Does Unbound use otherwise non-trustworthy data simply because it has
> valid DNSSEC signatures?
> 

How can data be signed and validated and also "non-trustworthy" ?

I see how data can be unwanted or superfluous, but if it validates then the daemon could obtain the same data using direct queries. So I am not sure what the actual problem is. "If crypto fails then evil could happen" isn't a very convincing augment against additional signed data and efforts to reduce latency in a proper implementation.

Paul