Hi Wouter,
Thank you for taking time to provide clarification.
I went step-by-step through [2]. The following spot:
"Next the resolvers checks the contents of the
example.com key. If the key is empty (a so called
null key) example.com is considered verifiable
insecure. The lookup will then proceed as a
normal DNS lookup."
sounds suspiciously weak from the integrity point of view.
On the next recursion (to resolve www.example.com), unbound
may cache the bogus response, as shown in [3]. In turn,
this will allow unsuspecting visitors to happily
supply their deepest banking secrets to the fake site.
The above scenario motivates me to ask the following
questions:
- How to prevent accesses to an unsigned name from
applications which are not 'ad' flag aware?
- Is there a way to force resolution failure (in unbound)
for an unsignedname?
Refernces
---------
[1] Chain of Trust, by R. Gieben
https://www.nlnetlabs.nl/downloads/publications/CSI-report.pdf[2] See
section 3.5 "DNSSEC lookups" in [1].
[3] See section 2.3 "Security" in [1].
Thanks,
- Sen Dion
