Trust rules and DNSSEC signatures

Robert Edmonds edmonds at
Thu Apr 27 17:52:29 UTC 2017

Florian Weimer via Unbound-users wrote:
> * Paul Wouters:
> >> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users
> >> <unbound-users at> wrote:
> >> 
> >> Does Unbound use otherwise non-trustworthy data simply because it has
> >> valid DNSSEC signatures?
> >> 
> >
> > How can data be signed and validated and also "non-trustworthy" ?
> Non-trustworthy according to DNS rules.  For example, data from the
> target in a complete different zone for which the server providing the
> reply is not even authoritative.
> > I see how data can be unwanted or superfluous, but if it validates
> > then the daemon could obtain the same data using direct queries.
> Only if the cryptographic validation is correct.

Why? If an attacker can steal a zone signing key and use it to forge
signatures, *and* a validator implementation does not enforce
out-of-bailiwick rules for validly signed data, then there is no need
for the forged data to also be available via direct queries. That is a
good reason to continue to reject out-of-bailiwick data even if it is
validly signed.

Robert Edmonds
edmonds at

More information about the Unbound-users mailing list