Does unbound ignore unsigned replies from a signed zone?

User free.sites at
Sun May 19 21:08:15 UTC 2019


In a router related forum I read the following post dated April 2019
comparing unbound and dnsmasq:

"[...] Since dnsmasq defaults to strict DNSSEC validation, it rejects
those invalid DNS entries, and therefore the test completely fails.

Your Unbound "works" because it simply ignores unsigned replies from a
signed zone... Which means it's doing zero to protect you against DNS
hijacking. Any hijacking could simply NOT sign the fake DNS zone, and
you would never even know.

Dnsmasq's strict validation is the way proper DNSSEC is meant to work,
if you want DNSSEC to truly be an effective protection mechanism."

This post left me behind a bit insecure. I'm not a pro, my questions
just are:

1.	Is this true for unbound 1.9.x, i.e. unbound ignores unsigned
replies from a DNSSEC-signed zone? Or was this the case only in older
versions of unbound? If yes, what version fixed it?
2.	How about strict (vs. opportunistic) DNSSEC validation in
current unbound 1.9.x? Is there such a feature? Is strict DNSSEC
validation available in unbound?

Thank you for your help.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unbound-users mailing list