Maintained by: NLnet Labs

Trust rules and DNSSEC signatures

Robert Edmonds
Thu Apr 27 19:26:26 CEST 2017


Florian Weimer via Unbound-users wrote:
> Does Unbound use otherwise non-trustworthy data simply because it has
> valid DNSSEC signatures?
> 
> I'm asking because of this recent dnsop thread:
> 
>   <https://mailarchive.ietf.org/arch/msg/dnsop/0bbEYp9RIGunDS4Vt_MvD2veMHg>

Hi, Florian:

It's been a while since I studied the Unbound architecture, but I
believe the answer to your question is "no", due to Unbound's separation
of iteration and validation into separate modules. (E.g.,
'module-config: "validator iterator"'.) If I understand correctly, the
iterator module is responsible for "scrubbing" response messages, which
includes things like deleting out-of-zone information from the response,
and it doesn't scrub conditionally based on whether the validator module
is also present in the module stack.

-- 
Robert Edmonds
edmonds at debian.org