[Unbound-users] local-data in combination DNSSEC signed zones

Marco Davids (SIDN) marco.davids at sidn.nl
Tue Oct 12 12:09:16 UTC 2010


Hello,

I conducted a small test with the cool 'local-data' feature of Unbound
in combination with a signed zone. It seems to work, be it in an
'insecure' way for the 'local-data'.

My intuition tells me I might be doing something unnatural here, off
which I might not completely oversee the consequences.

Basically what I am wondering is if anyone has an opinion on this? I am
not exactly sure what think of it.

For example, Windows 7 has a policy-option in the “Name Resolution
Policy Table” to demand DNSSEC for certain domains (never actually tried
it):

https://www.dnssec.nl/pipermail/dnssec/attachments/20100120/ab304386/attachment-0001.png

You get the picture; When 'local-data' is used, Unbound might return
insecure answers, with no 'ad'-flag set, for a zone that is expected to
be secure.

I guess the way it works now is the best way to go, so I am not
advocating any changes here. Just wondering about other people's opinion
on this.

Regards,

-- 
Marco




More information about the Unbound-users mailing list