Trust rules and DNSSEC signatures
Robert Edmonds
edmonds at debian.org
Thu Apr 27 17:52:29 UTC 2017
Florian Weimer via Unbound-users wrote:
> * Paul Wouters:
>
> >> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users
> >> <unbound-users at unbound.net> wrote:
> >>
> >> Does Unbound use otherwise non-trustworthy data simply because it has
> >> valid DNSSEC signatures?
> >>
> >
> > How can data be signed and validated and also "non-trustworthy" ?
>
> Non-trustworthy according to DNS rules. For example, data from the
> target in a complete different zone for which the server providing the
> reply is not even authoritative.
>
> > I see how data can be unwanted or superfluous, but if it validates
> > then the daemon could obtain the same data using direct queries.
>
> Only if the cryptographic validation is correct.
Why? If an attacker can steal a zone signing key and use it to forge
signatures, *and* a validator implementation does not enforce
out-of-bailiwick rules for validly signed data, then there is no need
for the forged data to also be available via direct queries. That is a
good reason to continue to reject out-of-bailiwick data even if it is
validly signed.
--
Robert Edmonds
edmonds at debian.org
More information about the Unbound-users
mailing list