security settings

Modster, Anthony Anthony.Modster at Teledyne.com
Fri Jul 31 00:34:06 UTC 2020 

Hello Paul

I thought unbound supports downstream clients.

If that is the case any DNS capable app can point to "unbound daemon" and have it resolve or forward DNSSEC requests.

The "unbound daemon" would monitor for client DNS quires on 127.0.0.1 "what the typical resolv.conf nameserver is set for".

Is this true ?

-----Original Message-----
From: Paul Wouters <paul at nohats.ca> 
Sent: Thursday, July 30, 2020 3:50 PM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>
Cc: Modster, Anthony via Unbound-users <unbound-users at lists.nlnetlabs.nl>
Subject: Re: security settings

---External Email---

On Thu, 30 Jul 2020, Modster, Anthony via Unbound-users wrote:

> Subject: security settings

> Using the setup below, how to configure unbound for strict security or not.

I'm a little confused about the "setup below". You list some software and API's

> Config 1: strict security, do not allow “unsecure and unsigned” resolves to the downstream client ?

In general, there is no such setting for DNS because it is normal for DNS zones to be unsigned and not use DNSSEC. Those to do use DNSSEC are automatically protected against "DNSSEC stripping" so receiving unsigned answers will never compromise signed domains.

> Config 2: less secure, allow resolves that are not signed to the downstream client ?

As I said, this is the normal mode of operation.

> The resolv.conf will contain the “nameserver IP address” for the local 
> host. This is the IP address that unbound daemon uses to monitor DNS client quires.
> 
> strongswan curl plugin gethostbyname()

I don't know what you mean here. strongswan is an IKE daemon, and I do believe it has some DNSSEC support but I'm not aware that resolving hosts with it required DNSSEC.

I am more familiar with libreswan, another IKE daemon, which does use libunbound and DNSSEC and will always validate the DNSSEC answers even if the local server listed in resolv.conf supports DNSSEC.  It does provide for a enable-dnssec=no override.

I don't know if curl/libcurl supports dnssec. a quick check with ldd does not show a known dnssec capable resolver is linked.

gethostbyname() simply does not support DNSSEC. It's API predates DNSSEC by 20+ years.

Paul

More information about the Unbound-users mailing list