How to force resolution failure of an unsigned domain
Benny Pedersen
me at junc.eu
Wed Apr 5 15:17:03 UTC 2017
Daisuke HIGASHI via Unbound-users skrev den 2017-04-05 15:23:
> For your information you can configure BIND9 to accept
> secure (DNSSEC validated) response only:
>
> options {
> dnssec-must-be-secure . yes;
> };
> managed-keys { .... };
>
> With this configuration you can resolve signed (secure) domain only:
>
> $ dig @::1 unbound.net +short
> 185.49.140.10
> $ dig @::1 isc.org +short
> 149.20.64.69
works as designed then, it protect you from using these ips blindly
> But you won't be able to reach all unsigned (insecure) domain, as
> Wouter pointed out:
when domains is not dnssec, you cant enforce dnssec without any risk of
not see results as expected
> $ dig @::1 yahoo.com
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46417
https://dane.sys4.de/smtp/yahoo.com
> $ dig @::1 google.com
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63482
https://dane.sys4.de/smtp/google.com
> $ dig @::1 twitter.com
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7986
https://dane.sys4.de/smtp/twitter.com
i know dane is not meant to be used here, it just good source to confirm
that its not your unbound not working :=)
funny enough yahoo google twitter are all using dkim signed mails, whats
there point with it :/
More information about the Unbound-users
mailing list