Maintained by: NLnet Labs

[Unbound-users] local-data in combination DNSSEC signed zones

Paul Wouters
Tue Oct 12 17:54:18 CEST 2010

On Tue, 12 Oct 2010, Marco Davids (SIDN) wrote:

> I conducted a small test with the cool 'local-data' feature of Unbound
> in combination with a signed zone. It seems to work, be it in an
> 'insecure' way for the 'local-data'.
> My intuition tells me I might be doing something unnatural here, off
> which I might not completely oversee the consequences.

> You get the picture; When 'local-data' is used, Unbound might return
> insecure answers, with no 'ad'-flag set, for a zone that is expected to
> be secure.
> I guess the way it works now is the best way to go

I don't know about that. unbound is basically serving verifiably false information
without a ServFail and CD bit. I'd say that's probably wrong, and that it should
not allow overriding dnssec data with non-dnssec data. But that's pretty
much a "protocol view" over a "real world view". Though with more and more validating
resolvers out there, and those moving to the endusers, that data will be less
usefull and will get rejected ultimately anyway.