How to force resolution failure of an unsigned domain
sendion23-ux at yahoo.com
Tue Apr 4 12:54:34 UTC 2017
My mail client messed with the new line character
which rendered the previous post less readable.
Please, ignore the previous post, and use this one instead.
Thank you for taking time to provide clarification.
I went step-by-step through . The following spot:
"Next the resolvers checks the contents of the
example.com key. If the key is empty (a so called
null key) example.com is considered verifiable
insecure. The lookup will then proceed as a
normal DNS lookup."
sounds suspiciously weak from the integrity point of view.
On the next recursion (to resolve www.example.com), unbound
may cache the bogus response, as shown in . In turn,
this will allow unsuspecting visitors to happily
supply their deepest banking secrets to the fake site.
The above scenario motivates me to ask the following
- How to prevent accesses to an unsigned name from
applications which are not 'ad' flag aware?
- Is there a way to force resolution failure (in unbound)
for an unsignedname?
 Chain of Trust, by R. Gieben
 See section 3.5 "DNSSEC lookups" in . See section 2.3 "Security" in .
Thanks, - Sen Dion
More information about the Unbound-users