* Paul Wouters: >> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users >> <unbound-users at unbound.net> wrote: >> >> Does Unbound use otherwise non-trustworthy data simply because it has >> valid DNSSEC signatures? >> > > How can data be signed and validated and also "non-trustworthy" ? Non-trustworthy according to DNS rules. For example, data from the target in a complete different zone for which the server providing the reply is not even authoritative. > I see how data can be unwanted or superfluous, but if it validates > then the daemon could obtain the same data using direct queries. Only if the cryptographic validation is correct. > So I am not sure what the actual problem is. "If crypto fails then > evil could happen" isn't a very convincing augment against > additional signed data and efforts to reduce latency in a proper > implementation. It absolutely is because cryptographic never works correctly. Most people assume they don't have to worry too much about DNSSEC validation bugs because there are other non-cryptographic security features an attacker would have to bypass as well. If DNSSEC, as implemented, disables these security features and more, then enabling DNSSEC increases risk. Enabling DNSSEC is fine if it is an add-on measure, but if it throws out pretty much all the other protocol protections, it's unlikely that it's a win from a security perspective.