Florian Weimer via Unbound-users wrote: > * Paul Wouters: > > >> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users > >> <unbound-users@unbound.net> wrote: > >> > >> Does Unbound use otherwise non-trustworthy data simply because it has > >> valid DNSSEC signatures? > >> > > > > How can data be signed and validated and also "non-trustworthy" ? > > Non-trustworthy according to DNS rules. For example, data from the > target in a complete different zone for which the server providing the > reply is not even authoritative. > > > I see how data can be unwanted or superfluous, but if it validates > > then the daemon could obtain the same data using direct queries. > > Only if the cryptographic validation is correct.
Why? If an attacker can steal a zone signing key and use it to forge signatures, *and* a validator implementation does not enforce out-of-bailiwick rules for validly signed data, then there is no need for the forged data to also be available via direct queries. That is a good reason to continue to reject out-of-bailiwick data even if it is validly signed. -- Robert Edmonds edmo...@debian.org