## page was renamed from DNSSEC/unbound == DNSSEC/unbound == <> --- Unbound DNS Tutorial https://calomel.org/unbound_dns.html DNSSECの実装をチェックする。 == anchor == http://unbound.jp/unbound/howto_anchor/ == turnoff dnssec == https://www.unbound.net/documentation/howto_turnoff_dnssec.html http://unbound.jp/unbound/howto_turnoff_dnssec/ 2. トラストアンカーを削除する unbound.confファイルからトラストアンカーの記述を削除すれば、 DNSSECは記述を削除した対象のドメインには使われなくなります。 3. validatorモジュールを無効にする DLVも含め他のドメインの検証も無効にします。unbound.confファイルの記述は次のようになります: {{{ server: module-config: "iterator" }}} == 起動スクリプト == 起動スクリプトのなかで、unbound-anchorを実行しているようなので、 それも潰すのがいいかも。 https://twitter.com/yuuturn5/status/893379572476944385 Unbound users ML https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004869.html {{{ Otherwise, unbound shouldn't be fetching the DNSKEY itself then, but downstream clients could still be asking for it. }}} == bug == http://www.debian.org/security/2011/dsa-2243.ja.html == conf option == {{{ harden-dnssec-stripped: Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes bogus. If turned off, and no DNSSEC data is received (or the DNSKEY data fails to validate), then the zone is made insecure, this behaves like there is no trust anchor. You could turn this off if you are sometimes behind an intrusive firewall (of some sort) that removes DNSSEC data from packets, or a zone changes from signed to unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone. Default is on. }}} disable-dnssec-lame-check: {{{ If true, disables the DNSSEC lameness check in the iterator. This check sees if RRSIGs are present in the answer, when dnssec is expected, and retries another authority if RRSIGs are unex‐ pectedly missing. The validator will insist in RRSIGs for DNSSEC signed domains regardless of this setting, if a trust anchor is loaded. }}}