unbound 1.7.3 - Verified that unsigned response is INSECURE
Jochen Becker
jochen.becker3 at freenet.de
Tue Oct 30 13:52:17 UTC 2018
Jaap
Thanks for coming back so quickly. Your answer raised a lot more
questions ...
But as I do not want to bother you with too many silly questions, is
there any documentation available, you could possibly point me to? I do
know your web-site, though.
Apparently there seems to be a misunderstanding at my end, e. g. where
is the point of validation if the majority of domains are not signed?
Just checked signin.ebay.de and signin.ebay.com, not signed.
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: resolving
sigin.ebay.com. SOA IN
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: response for
sigin.ebay.com. SOA IN
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: reply from <.>
146.185.167.43#853
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: query response
was NXDOMAIN ANSWER
Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: resolving
ebay.com. DS IN
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: response for
ebay.com. DS IN
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: reply from <.>
89.233.43.71#853
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: query response
was nodata ANSWER
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: NSEC3s for the
referral proved no DS.
Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: Verified that
unsigned response is INSECURE
Neither are a couple of banks nor akamai nor googleapis.com, all unsigned.
In my current (and now updated!) understanding, in all these cases I can
never be sure to actually talk to the web site I wanted to?
Unbound has opened my eyes in this project so far. It helps me to use
rolling DNS-servers of choice, it encrypts my queries and shows me what
is going on.
My conclusion so far: DNSSEC remains an illusion. Would that be correct?
Thanks
Jochen
Am 30.10.18 um 10:55 schrieb Jaap Akkerhuis:
>
> Nothing. The domain ubuntuusers.de is unsigned.
>
> jaap
>
More information about the Unbound-users
mailing list