Trust rules and DNSSEC signatures
paul at nohats.ca
Thu Apr 27 16:13:51 UTC 2017
> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users <unbound-users at unbound.net> wrote:
> Does Unbound use otherwise non-trustworthy data simply because it has
> valid DNSSEC signatures?
How can data be signed and validated and also "non-trustworthy" ?
I see how data can be unwanted or superfluous, but if it validates then the daemon could obtain the same data using direct queries. So I am not sure what the actual problem is. "If crypto fails then evil could happen" isn't a very convincing augment against additional signed data and efforts to reduce latency in a proper implementation.
More information about the Unbound-users