How to force resolution failure of an unsigned domain
Daisuke HIGASHI
daisuke.higashi at gmail.com
Wed Apr 5 13:23:53 UTC 2017
Hi Sen,
Python scripting for Unbound may enable your desired function.
http://unbound.net/documentation/pythonmod/index.html
For your information you can configure BIND9 to accept
secure (DNSSEC validated) response only:
options {
dnssec-must-be-secure . yes;
};
managed-keys { .... };
With this configuration you can resolve signed (secure) domain only:
$ dig @::1 unbound.net +short
185.49.140.10
$ dig @::1 isc.org +short
149.20.64.69
But you won't be able to reach all unsigned (insecure) domain, as
Wouter pointed out:
$ dig @::1 yahoo.com
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46417
$ dig @::1 google.com
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63482
$ dig @::1 twitter.com
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7986
--
Daisuke Higashi
More information about the Unbound-users
mailing list