Am 19.05.19 um 23:08 schrieb User via Unbound-users: > Hi! > > > > In a router related forum I read the following post dated April 2019 > comparing unbound and dnsmasq: > > > > /"[...] Since dnsmasq defaults to strict DNSSEC validation, it rejects those > invalid DNS entries, and therefore the test completely fails./ > > / / > > /Your Unbound "works" because it simply ignores unsigned replies from a > signed zone... Which means it's doing zero to protect you against DNS > hijacking. Any hijacking could simply NOT sign the fake DNS zone, and you > would never even know./ > > / / > > /Dnsmasq's strict validation is the way proper DNSSEC is meant to work, if > you want DNSSEC to truly be an effective protection mechanism.”/ unbound and - I assume DNSMASQ too - will do DNSSEC validation if they are required to do so by configuration. If there are signatures and validation succeed, the answer is send back to the client as authenticated data (AD-Flag set in response) Usually, if validation fail, the result is just "SERVFAIL". A client /may/ ask the resolver to skip validation by setting a CD-Flag (checking disabled) as part of the query, There is an unbound option "ignore-cd-flag" to not allow a client to ask unbound to skip validation. Maybe your forum user mixed these facts wrongly ... Andreas
Re: Does unbound ignore unsigned replies from a signed zone?
A. Schulze via Unbound-users Sun, 19 May 2019 14:39:37 -0700
- Does unbound ignore unsigned replies from a... User via Unbound-users
- Re: Does unbound ignore unsigned repli... Paul Wouters via Unbound-users
- Re: Does unbound ignore unsigned repli... A. Schulze via Unbound-users
- Re: Does unbound ignore unsigned repli... User via Unbound-users
- Re: Does unbound ignore unsigned repli... User via Unbound-users
