unbound 1.7.3 - Verified that unsigned response is INSECURE

Havard Eidnes he at uninett.no
Tue Oct 30 15:23:11 UTC 2018

> Apparently there seems to be a misunderstanding at my end, e.g. where
> is the point of validation if the majority of domains are not signed?

This is more or less the natural way of "incremental deployment"
of a rather complex technology.

One thing is validation, which is relatively easy to deploy, and
by doing so you at least validate those domains which are signed.

Another thing is to configure signing your domains, and if you
are going to do it yourself, it introduces quite a bit of
additional complexity which needs to be mastered, and if you get
"one little detail" wrong the consequences can be fairly serious.

> In my current (and now updated!) understanding, in all these cases I can
> never be sure to actually talk to the web site I wanted to?

Well, if the domain owner doesn't DNSSEC-sign his domain(s),
attempts at doing validation at your end won't improve matters
*for those domains*.

Of course, deployment is not universal, neither on the signing
nor on the validation end (and will probably never be...).

> My conclusion so far: DNSSEC remains an illusion. Would that be correct?

I would disagree, but deployment has not been rapid.
E.g. validation of DNSSEC varies widely by region:


and from my own backyard, the level of DNSSEC-signed domains for
".no" domains is not all "doom and gloom":



- Håvard

More information about the Unbound-users mailing list