How to force resolution failure of an unsigned domain
wouter at nlnetlabs.nl
Mon Apr 3 12:47:45 UTC 2017
Hi Sen Dion,
This is not needed. Unbound can keep apart unsigned domains and domains
where the crypto fails or is missing. This is a feature of DNSSEC,
where there is a signature over data that says the domain is unsigned.
So the user can trust the absence of the ad flag (and the data is then
insecure, but we know securely that it could arrive without signatures).
Best regards, Wouter
On 02/04/17 21:07, Sen Dion via Unbound-users wrote:
> Hello Everybody,
> It looks like there is an assumption that it is an application
> responsibility to get user consent before accessing an unsigned domain
> (whenever 'ad' flag is not set). AFAIK, that is not the case: majority
> of applications is not 'ad' flag aware.
> How to prevent accesses to unsigned domains from these applications? Is
> there a way to force resolution failure (in unbound) for an unsigned
> Sen Dion
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Unbound-users