security settings

[Paul Wouters]

On Thu, 30 Jul 2020, Modster, Anthony via Unbound-users wrote:

> Subject: security settings

> Using the setup below, how to configure unbound for strict security or not.

I'm a little confused about the "setup below". You list some software
and API's

> Config 1: strict security, do not allow “unsecure and unsigned” resolves to the downstream client ?

In general, there is no such setting for DNS because it is normal for
DNS zones to be unsigned and not use DNSSEC. Those to do use DNSSEC
are automatically protected against "DNSSEC stripping" so receiving
unsigned answers will never compromise signed domains.

> Config 2: less secure, allow resolves that are not signed to the downstream client ?

As I said, this is the normal mode of operation.

> The resolv.conf will contain the “nameserver IP address” for the local host. This is the IP address that
> unbound daemon uses to monitor DNS client quires.
> 
> strongswan curl plugin gethostbyname()

I don't know what you mean here. strongswan is an IKE daemon, and I do
believe it has some DNSSEC support but I'm not aware that resolving
hosts with it required DNSSEC.

I am more familiar with libreswan, another IKE daemon, which does use
libunbound and DNSSEC and will always validate the DNSSEC answers even
if the local server listed in resolv.conf supports DNSSEC.  It does
provide for a enable-dnssec=no override.

I don't know if curl/libcurl supports dnssec. a quick check with ldd
does not show a known dnssec capable resolver is linked.

gethostbyname() simply does not support DNSSEC. It's API predates DNSSEC
by 20+ years.

Paul