How to force resolution failure of an unsigned domain
Sen Dion
sendion23-ux at yahoo.com
Tue Apr 4 12:47:15 UTC 2017
Hi Wouter,
Thank you for taking time to provide clarification.
I went step-by-step through [2]. The following spot:
"Next the resolvers checks the contents of the
example.com key. If the key is empty (a so called
null key) example.com is considered verifiable
insecure. The lookup will then proceed as a
normal DNS lookup."
sounds suspiciously weak from the integrity point of view.
On the next recursion (to resolve www.example.com), unbound
may cache the bogus response, as shown in [3]. In turn,
this will allow unsuspecting visitors to happily
supply their deepest banking secrets to the fake site.
The above scenario motivates me to ask the following
questions:
- How to prevent accesses to an unsigned name from
applications which are not 'ad' flag aware?
- Is there a way to force resolution failure (in unbound)
for an unsignedname?
Refernces
---------
[1] Chain of Trust, by R. Gieben
https://www.nlnetlabs.nl/downloads/publications/CSI-report.pdf[2] See section 3.5 "DNSSEC lookups" in [1].
[3] See section 2.3 "Security" in [1].
Thanks,
- Sen Dion
More information about the Unbound-users
mailing list