Trust rules and DNSSEC signatures

Robert Edmonds edmonds at
Thu Apr 27 17:26:26 UTC 2017

Florian Weimer via Unbound-users wrote:
> Does Unbound use otherwise non-trustworthy data simply because it has
> valid DNSSEC signatures?
> I'm asking because of this recent dnsop thread:
>   <>

Hi, Florian:

It's been a while since I studied the Unbound architecture, but I
believe the answer to your question is "no", due to Unbound's separation
of iteration and validation into separate modules. (E.g.,
'module-config: "validator iterator"'.) If I understand correctly, the
iterator module is responsible for "scrubbing" response messages, which
includes things like deleting out-of-zone information from the response,
and it doesn't scrub conditionally based on whether the validator module
is also present in the module stack.

Robert Edmonds
edmonds at

More information about the Unbound-users mailing list