Jaap Thanks for coming back so quickly. Your answer raised a lot more questions ... But as I do not want to bother you with too many silly questions, is there any documentation available, you could possibly point me to? I do know your web-site, though.
Apparently there seems to be a misunderstanding at my end, e. g. where is the point of validation if the majority of domains are not signed? Just checked signin.ebay.de and signin.ebay.com, not signed. Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: resolving sigin.ebay.com. SOA IN Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: response for sigin.ebay.com. SOA IN Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: reply from <.> 146.185.167.43#853 Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: query response was NXDOMAIN ANSWER Okt 30 10:15:24 dnsserver1 unbound[718]: [718:0] info: resolving ebay.com. DS IN Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: response for ebay.com. DS IN Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: reply from <.> 89.233.43.71#853 Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: query response was nodata ANSWER Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: NSEC3s for the referral proved no DS. Okt 30 10:15:25 dnsserver1 unbound[718]: [718:0] info: Verified that unsigned response is INSECURE Neither are a couple of banks nor akamai nor googleapis.com, all unsigned. In my current (and now updated!) understanding, in all these cases I can never be sure to actually talk to the web site I wanted to? Unbound has opened my eyes in this project so far. It helps me to use rolling DNS-servers of choice, it encrypts my queries and shows me what is going on. My conclusion so far: DNSSEC remains an illusion. Would that be correct? Thanks Jochen Am 30.10.18 um 10:55 schrieb Jaap Akkerhuis: > > Nothing. The domain ubuntuusers.de is unsigned. > > jaap >
