Trust rules and DNSSEC signatures
Robert Edmonds
edmonds at debian.org
Thu Apr 27 17:26:26 UTC 2017
Florian Weimer via Unbound-users wrote:
> Does Unbound use otherwise non-trustworthy data simply because it has
> valid DNSSEC signatures?
>
> I'm asking because of this recent dnsop thread:
>
> <https://mailarchive.ietf.org/arch/msg/dnsop/0bbEYp9RIGunDS4Vt_MvD2veMHg>
Hi, Florian:
It's been a while since I studied the Unbound architecture, but I
believe the answer to your question is "no", due to Unbound's separation
of iteration and validation into separate modules. (E.g.,
'module-config: "validator iterator"'.) If I understand correctly, the
iterator module is responsible for "scrubbing" response messages, which
includes things like deleting out-of-zone information from the response,
and it doesn't scrub conditionally based on whether the validator module
is also present in the module stack.
--
Robert Edmonds
edmonds at debian.org
More information about the Unbound-users
mailing list