Does unbound ignore unsigned replies from a signed zone?
A. Schulze
sca at andreasschulze.de
Sun May 19 21:37:40 UTC 2019
Am 19.05.19 um 23:08 schrieb User via Unbound-users:
> Hi!
>
>
>
> In a router related forum I read the following post dated April 2019 comparing unbound and dnsmasq:
>
>
>
> /"[...] Since dnsmasq defaults to strict DNSSEC validation, it rejects those invalid DNS entries, and therefore the test completely fails./
>
> / /
>
> /Your Unbound "works" because it simply ignores unsigned replies from a signed zone... Which means it's doing zero to protect you against DNS hijacking. Any hijacking could simply NOT sign the fake DNS zone, and you would never even know./
>
> / /
>
> /Dnsmasq's strict validation is the way proper DNSSEC is meant to work, if you want DNSSEC to truly be an effective protection mechanism.”/
unbound and - I assume DNSMASQ too - will do DNSSEC validation if they are required to do so by configuration.
If there are signatures and validation succeed, the answer is send back to the client as authenticated data (AD-Flag set in response)
Usually, if validation fail, the result is just "SERVFAIL". A client /may/ ask the resolver to skip validation by setting a CD-Flag (checking disabled) as part of the query,
There is an unbound option "ignore-cd-flag" to not allow a client to ask unbound to skip validation.
Maybe your forum user mixed these facts wrongly ...
Andreas
More information about the Unbound-users
mailing list