Florian Weimer via Unbound-users wrote: > Does Unbound use otherwise non-trustworthy data simply because it has > valid DNSSEC signatures? > > I'm asking because of this recent dnsop thread: > > <https://mailarchive.ietf.org/arch/msg/dnsop/0bbEYp9RIGunDS4Vt_MvD2veMHg>
Hi, Florian: It's been a while since I studied the Unbound architecture, but I believe the answer to your question is "no", due to Unbound's separation of iteration and validation into separate modules. (E.g., 'module-config: "validator iterator"'.) If I understand correctly, the iterator module is responsible for "scrubbing" response messages, which includes things like deleting out-of-zone information from the response, and it doesn't scrub conditionally based on whether the validator module is also present in the module stack. -- Robert Edmonds edmo...@debian.org