retrieve TLSA record also if it is not secured by DNSSEC

John Peacock jpeacock at messagesystems.com
Wed Feb 12 14:42:16 UTC 2020


On Wed, Feb 12, 2020 at 9:34 AM Elmar Stellnberger via Unbound-users <
unbound-users at lists.nlnetlabs.nl> wrote:

> Does anyone care about this? Who has tried to retrieve the TLSA record of
> elstel.com via libunbound? Why does it not return the TLSA record as
> unsafe if it is present but not signed correctly?
>
At least for me, that would be pointless; if I am to trust the information it
has to be signed correctly. Returning untrusted values just removes the
security and you might as well not use DANE at all.

My 2 cents

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200212/ad384b14/attachment.htm>


More information about the Unbound-users mailing list