On Tue, 12 Oct 2010, Marco Davids (SIDN) wrote:
I conducted a small test with the cool 'local-data' feature of Unbound
in combination with a signed zone. It seems to work, be it in an
'insecure' way for the 'local-data'.
My intuition tells me I might be doing something unnatural here, off
which I might not completely oversee the consequences.
You get the picture; When 'local-data' is used, Unbound might return
insecure answers, with no 'ad'-flag set, for a zone that is expected to
be secure.
I guess the way it works now is the best way to go
I don't know about that. unbound is basically serving verifiably false
information
without a ServFail and CD bit. I'd say that's probably wrong, and that it should
not allow overriding dnssec data with non-dnssec data. But that's pretty
much a "protocol view" over a "real world view". Though with more and more
validating
resolvers out there, and those moving to the endusers, that data will be less
usefull and will get rejected ultimately anyway.
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
