Does unbound ignore unsigned replies from a signed zone?

Unbound
1

Hi!

In a router related forum I read the following post dated April 2019 comparing unbound and dnsmasq:

"[…] Since dnsmasq defaults to strict DNSSEC validation, it rejects those invalid DNS entries, and therefore the test completely fails.

Your Unbound “works” because it simply ignores unsigned replies from a signed zone… Which means it’s doing zero to protect you against DNS hijacking. Any hijacking could simply NOT sign the fake DNS zone, and you would never even know.

Dnsmasq’s strict validation is the way proper DNSSEC is meant to work, if you want DNSSEC to truly be an effective protection mechanism.”

This post left me behind a bit insecure. I’m not a pro, my questions just are:

  1. Is this true for unbound 1.9.x, i.e. unbound ignores unsigned replies from a DNSSEC-signed zone? Or was this the case only in older versions of unbound? If yes, what version fixed it?
  2. How about strict (vs. opportunistic) DNSSEC validation in current unbound 1.9.x? Is there such a feature? Is strict DNSSEC validation available in unbound?

Thank you for your help.

2

"[...] Since dnsmasq defaults to strict DNSSEC validation, it rejects those invalid DNS entries,
and therefore the test completely fails.

That's not so much "strict" but just how DNSSEC is supposed to work.

Your Unbound "works" because it simply ignores unsigned replies from a signed zone...

Which is another way of saying "strict" like above ???

Which means
it's doing zero to protect you against DNS hijacking. Any hijacking could simply NOT sign the fake
DNS zone, and you would never even know.

This is wrong. For a known signed zone with a parental delegation, any
proper implementation of a DNS resolver will drop DNS answers that are
missing the signature records.

A "hijacked zone" with DNS answers that miss the RRSIG signature records
will be ignored. If no proper RRSIG records are received, a proper
implementation like unbound (and dnsmasq) return ServFail. the DNSSEC
status for this is called INDETERMINATE (as in, answers where withheld,
so we cannot validate the result, so we cannot answer)

Dnsmasq's strict validation is the way proper DNSSEC is meant to work, if you want DNSSEC to truly
be an effective protection mechanism.”

That's the same for unbound. I have no idea what the quoted poster
means, but their statements are self-contradicitng and wrong.

1. Is this true for unbound 1.9.x, i.e. unbound ignores unsigned replies from a DNSSEC-signed
    zone? Or was this the case only in older versions of unbound? If yes, what version fixed it?

Of course unsigned responses are dropped if the parental record stated
you needed to expect signed answers from a certain key.

2. How about strict (vs. opportunistic) DNSSEC validation in current unbound 1.9.x? Is there such
    a feature? Is strict DNSSEC validation available in unbound?

There is no "non-strict" mode in DNSSEC. Think about it, being
"unstrict" means the same as offering no DNSSEC at all, if it means
that anyone could spoof anything.

Paul
ps. systemd-resolved does have a broken "feature" where it uses the
first signed or unsigned answer it received, and used to not check
if the first unsigned response to come in should have been signed. I'm
not sure if that is still the case.

3

unbound and - I assume DNSMASQ too - will do DNSSEC validation if they are required to do so by configuration.
If there are signatures and validation succeed, the answer is send back to the client as authenticated data (AD-Flag set in response)
Usually, if validation fail, the result is just "SERVFAIL". A client /may/ ask the resolver to skip validation by setting a CD-Flag (checking disabled) as part of the query,
There is an unbound option "ignore-cd-flag" to not allow a client to ask unbound to skip validation.

Maybe your forum user mixed these facts wrongly ...

Andreas

4

Hi!

Thanks for your prompt answer. Well, the original post is here:
https://www.snbforums.com/threads/preview-asuswrt-merlin-384-11-with-dns
-over-tls.56095/page-26#post-484685

It's about the Cloudflare security-test website
Cloudflare Browser Check that reports "You may not
be using secure DNS" for some users although those users expect another
result. And the original poster brought up that statement about unbound
missing a strict DNSSEC mode ... what then confused me because it
sounded like there is something wrong with unbound what I liked to be
clarified. :hehe: I use unbound on my Raspberry Pi, with DoT upstream
servers (port 853 and tls authentication).

In the end they agreed upon the Cloudfare test site being buggy (compare
https://www.snbforums.com/threads/preview-asuswrt-merlin-384-11-with-dns
-over-tls.56095/page-30#post-485000). However, that statement about
unbound allegedly missing something like a strict dnssec mode (that
dnsmasq and stubby are claimed to have) has been haunting my mind, but
maybe I mix things up ... I'm a DNS newbie.

Best regards

5

Hi Paul!

Thank you very much for your answer. This next to Andreas' reply helped me a lot.

In my reply to Andreas I provided some details about the original post in that other forum I referred to. I don't think the statement of the original poster was meant as criticism regarding unbound - however his statement haunted my mind :wink:

Thanks to your explanation my trust in unbound is back and I will gladly continue using it on my Pi as my local DNS resolver :blush: