Maintained by: NLnet Labs

Trust rules and DNSSEC signatures

Florian Weimer
Thu Apr 27 18:49:12 CEST 2017

* Paul Wouters:

>> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users
>> <unbound-users at> wrote:
>> Does Unbound use otherwise non-trustworthy data simply because it has
>> valid DNSSEC signatures?
> How can data be signed and validated and also "non-trustworthy" ?

Non-trustworthy according to DNS rules.  For example, data from the
target in a complete different zone for which the server providing the
reply is not even authoritative.

> I see how data can be unwanted or superfluous, but if it validates
> then the daemon could obtain the same data using direct queries.

Only if the cryptographic validation is correct.

> So I am not sure what the actual problem is. "If crypto fails then
> evil could happen" isn't a very convincing augment against
> additional signed data and efforts to reduce latency in a proper
> implementation.

It absolutely is because cryptographic never works correctly.  Most
people assume they don't have to worry too much about DNSSEC
validation bugs because there are other non-cryptographic security
features an attacker would have to bypass as well.

If DNSSEC, as implemented, disables these security features and more,
then enabling DNSSEC increases risk.

Enabling DNSSEC is fine if it is an add-on measure, but if it throws
out pretty much all the other protocol protections, it's unlikely that
it's a win from a security perspective.