On 2013-03-20 at 08:22 +0100, Ondřej Surý wrote: > The question to answer is: How many stub resolver do set DO/AD flag or eve allow to set it? So this doesn't make much sense to me to implement in Unbound too, since I consider this practically useless. Client applications can set it, because stub resolvers do permit it to be set. It's the RES_USE_DNSSEC flag for the resolver options field in the resolv.h interface; if your platform doesn't use resolv.h, pass. Exim current git head does this, if the dns_use_dnssec option is set; I added it last June. Mind, I think that unbound's approach is sane and I'm happy it is as it is, but still, if an application wants to _rely_ on DNSSEC, then it should be setting the DO flag and checking AD. This affects forthcoming DANE support, for instance.