Maintained by: NLnet Labs

Trust rules and DNSSEC signatures

Robert Edmonds
Thu Apr 27 19:52:29 CEST 2017


Florian Weimer via Unbound-users wrote:
> * Paul Wouters:
> 
> >> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users
> >> <unbound-users at unbound.net> wrote:
> >> 
> >> Does Unbound use otherwise non-trustworthy data simply because it has
> >> valid DNSSEC signatures?
> >> 
> >
> > How can data be signed and validated and also "non-trustworthy" ?
> 
> Non-trustworthy according to DNS rules.  For example, data from the
> target in a complete different zone for which the server providing the
> reply is not even authoritative.
> 
> > I see how data can be unwanted or superfluous, but if it validates
> > then the daemon could obtain the same data using direct queries.
> 
> Only if the cryptographic validation is correct.

Why? If an attacker can steal a zone signing key and use it to forge
signatures, *and* a validator implementation does not enforce
out-of-bailiwick rules for validly signed data, then there is no need
for the forged data to also be available via direct queries. That is a
good reason to continue to reject out-of-bailiwick data even if it is
validly signed.

-- 
Robert Edmonds
edmonds at debian.org