Hi!
In a router related forum I read the following post dated April 2019 comparing unbound and dnsmasq: "[...] Since dnsmasq defaults to strict DNSSEC validation, it rejects those invalid DNS entries, and therefore the test completely fails. Your Unbound "works" because it simply ignores unsigned replies from a signed zone... Which means it's doing zero to protect you against DNS hijacking. Any hijacking could simply NOT sign the fake DNS zone, and you would never even know. Dnsmasq's strict validation is the way proper DNSSEC is meant to work, if you want DNSSEC to truly be an effective protection mechanism." This post left me behind a bit insecure. I'm not a pro, my questions just are: 1. Is this true for unbound 1.9.x, i.e. unbound ignores unsigned replies from a DNSSEC-signed zone? Or was this the case only in older versions of unbound? If yes, what version fixed it? 2. How about strict (vs. opportunistic) DNSSEC validation in current unbound 1.9.x? Is there such a feature? Is strict DNSSEC validation available in unbound? Thank you for your help.
