unbound 1.7.3 - Verified that unsigned response is INSECURE

[Jochen Becker]

Jaap

Thanks for coming back so quickly. Your answer raised a lot more
questions ...
But as I do not want to bother you with too many silly questions, is
there any documentation available, you could possibly point me to? I do
know your web-site, though.

Apparently there seems to be a misunderstanding at my end, e. g. where
is the point of validation if the majority of domains are not signed?
Just checked signin.ebay.de and signin.ebay.com, not signed.

Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: resolving
sigin.ebay.com. SOA IN
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: response for
sigin.ebay.com. SOA IN
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: reply from <.>
146.185.167.43#853
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: query response
was NXDOMAIN ANSWER
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: resolving
ebay.com. DS IN
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: response for
ebay.com. DS IN
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: reply from <.>
89.233.43.71#853
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: query response
was nodata ANSWER
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: NSEC3s for the
referral proved no DS.
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: Verified that
unsigned response is INSECURE

Neither are a couple of banks nor akamai nor googleapis.com, all unsigned.

In my current (and now updated!) understanding, in all these cases I can
never be sure to actually talk to the web site I wanted to?

Unbound has opened my eyes in this project so far. It helps me to use
rolling DNS-servers of choice, it encrypts my queries and shows me what
is going on.
My conclusion so far: DNSSEC remains an illusion. Would that be correct?

Thanks

Jochen


Am 30.10.18 um 10:55 schrieb Jaap Akkerhuis:
> 
> Nothing. The domain ubuntuusers.de is unsigned.
> 
> 	jaap
>