Daisuke HIGASHI via Unbound-users skrev den 2017-04-05 15:23:
For your information you can configure BIND9 to accept
secure (DNSSEC validated) response only:
options {
dnssec-must-be-secure . yes;
};
managed-keys { .... };
With this configuration you can resolve signed (secure) domain only:
$ dig @::1 unbound.net +short
185.49.140.10
$ dig @::1 isc.org +short
149.20.64.69
works as designed then, it protect you from using these ips blindly
But you won't be able to reach all unsigned (insecure) domain, as
Wouter pointed out:
when domains is not dnssec, you cant enforce dnssec without any risk of
not see results as expected
$ dig @::1 yahoo.com
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46417
https://dane.sys4.de/smtp/yahoo.com
$ dig @::1 google.com
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63482
https://dane.sys4.de/smtp/google.com
$ dig @::1 twitter.com
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7986
https://dane.sys4.de/smtp/twitter.com
i know dane is not meant to be used here, it just good source to confirm
that its not your unbound not working :=)
funny enough yahoo google twitter are all using dkim signed mails, whats
there point with it :/
