[Unbound-users] local-data in combination DNSSEC signed zones
Marco Davids (SIDN)
marco.davids at sidn.nl
Tue Oct 12 12:09:16 UTC 2010
Hello,
I conducted a small test with the cool 'local-data' feature of Unbound
in combination with a signed zone. It seems to work, be it in an
'insecure' way for the 'local-data'.
My intuition tells me I might be doing something unnatural here, off
which I might not completely oversee the consequences.
Basically what I am wondering is if anyone has an opinion on this? I am
not exactly sure what think of it.
For example, Windows 7 has a policy-option in the “Name Resolution
Policy Table” to demand DNSSEC for certain domains (never actually tried
it):
https://www.dnssec.nl/pipermail/dnssec/attachments/20100120/ab304386/attachment-0001.png
You get the picture; When 'local-data' is used, Unbound might return
insecure answers, with no 'ad'-flag set, for a zone that is expected to
be secure.
I guess the way it works now is the best way to go, so I am not
advocating any changes here. Just wondering about other people's opinion
on this.
Regards,
--
Marco
More information about the Unbound-users
mailing list