How to force resolution failure of an unsigned domain
sendion23-ux at yahoo.com
Wed Apr 5 04:22:06 UTC 2017
> Unfortunately that document is about an old version of DNSSEC, with KEY> and SIG types. The new version of DNSSEC has DNSKEY and RRSIG rrs.
I went step-by-step through . Is it good enough to describe the new
version DNSSEC? If not, please point me to the relevant document.
Unfortunately, this document doesn't reveal the result of resolving
an unsigned name.
> It works differently. But can also find verifiable insecure points, by
> disproving the existance of DS records. This is done with NSEC (or
> NSEC3) records signed by the parent domain.
Please, help me to understand how things will play out in case
insecure point is verifiable found. Will 'unbound' resolve name
below this point? Will an application get the resolved name and
attempt to connect to it?
> Unbound does not have a way to prevent access to insecure names. Or
> make resolution failure. Because I think it is not needed.
Correct me if I am wrong. In case the answer returned to unbound
is retrieved from records located below insecure point (in the hierarchy),
the unbound will pass it to an application. In turn, the application
will be able to connect to the IP without suspecting that the IP is
I am trying to present to our administrator the benefits of running
'unbound'. I am confident that the above revelation will not fly by
him. Will you help me to make a convincing argument?
 "How DNSSEC Works"
- Sen Dion
More information about the Unbound-users