Trust rules and DNSSEC signatures

Paul Wouters paul at
Thu Apr 27 16:13:51 UTC 2017

> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users <unbound-users at> wrote:
> Does Unbound use otherwise non-trustworthy data simply because it has
> valid DNSSEC signatures?

How can data be signed and validated and also "non-trustworthy" ?

I see how data can be unwanted or superfluous, but if it validates then the daemon could obtain the same data using direct queries. So I am not sure what the actual problem is. "If crypto fails then evil could happen" isn't a very convincing augment against additional signed data and efforts to reduce latency in a proper implementation.


More information about the Unbound-users mailing list