On Jan 11, 2014, at 5:00 PM, Rick van Rein <[email protected]> wrote:
> Hello,
>
> Am I correct that Unbound cannot require DNSSEC validation for its resolution?
>
> The general DNS use case would call for security of validated insecurity, but
> other situations are possible too.
> * You do not want to trust TLSA / CERT / … records that have not been
> validated
> * Kerberos5 tends to mistrust DNS, but inasfar as records are signed that
> coudl be corrected
> * An application at a CA might have a policy to only trust signed portions of
> DNS
>
> So, if I am correct and there is no way to enforce DNSSEC validation on
> everything returned, then could such an option be added in future versions?
Rick,
Strictly speaking you are asking unbound do something that RFC4035 out-laws,
i.e. see section 4.3,
Insecure is always returned.
I understand what you want and agree with you it would be nice to have this
functionality.
One way to do this is to run a local resolver behind a proxy that translates
all answers w/o AD bit to an
empty answer with RCODE>0, not sure what RCODE
A better way might be to propose an EDNS0 option that expresses to the
resolver:
only answer if AD==1
and defines a new RCODE to express only insecure answer exists.
This way applications that want this functionality get it and all others that
use the resolver
are not affected.
Olafur
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
