On Thu, Jul 02, 2009 at 04:36:43PM +0200, W.C.A. Wijngaards wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Leen, > > On 07/02/2009 10:35 AM, Leen Besselink wrote: > > Hi Wouter, > > > > Usually I just lurk on this mailinglist, but this time I have a question > > about DNSSEC. > > > > I'm not familair with all details of DNSSEC, but I thought it doesn't > > really matter all that much where > > you get the DNSSEC information from, as long as you have a copy of the > > public root key or maybe > > something from a DLV-system. You would be able to verify it all the way > > from the top down to the record > > that you want to verify. > > Yes, but you have to get the data from the server. > DNSSEC does not conjure information out of thin air. > > > A forwarded would then just be a cache, you could ask that forwarded to > > retrieve the right RR and you'd > > be able to verify it. > > Yes, if that forwarder gives along the signature with the data. > If the forwarder takes away all the signatures, then with > DNSSEC you detect that and the response is a security failure. > > > This is what I always assumed, let's say the root is signed ( I assume with > > DLV it's kind of similair ): > > > > 1. you know the root is signed, you have the public key (or whatever key > > material you need), you get > > the right records and you verify these records. They can't be changed, > > otherwise the signatures wouldn't > > match. > > Yes. And there is an expiration to tell you this was not > a delayed repeat of old information. > > > 2. It has a record that says .org is signed and it has to match with this > > key. > > Yes > > > 3. you ask for .org information and it HAS to be signed, if it isn't signed > > or doesn't match, it's invalid. > > > > and so on. > > Yes > > > So where can the records be stripped ? > > It looked like Harish was running a setup where the forwarder was > stripping the records. Because it did not have dnssec enabled, it > did not pass along the information that was necessary. > > Noticing that information was stripped off, unbound then decided this > was a security failure. > > Does this information help? >
Yes, it does take away my uncertainty about if I understand correctly how DNSSEC works. It's not possible for Unbound to ask the forwarded for the specific record (I think it's something like KEY) ? Or would a forwarder strip that also ? Or would all these extra requests delay the whole thing far to much and is that a good reason not do it ? > Best regards, > Wouter > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkpMxfsACgkQkDLqNwOhpPissgCeJr0w0R7SGoYveycNplpBd3Kl > fh4AoKghjmNjNA4gA7LHPoRJEFdMDb4M > =+sCI > -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
