[Unbound-users] Insisting on DNSSEC

Paul Wouters paul at nohats.ca
Sun Jan 12 03:20:22 UTC 2014


On Sun, 12 Jan 2014, Rick van Rein wrote:

> I *think* I am asking for something new — namely, to insist on presence of DNSSEC and proper validation on it.  In other words, to be able to neglect anything that is not properly signed.

If an application wants to insist on DNSSEC, they simple need to query
and check for the AD bit being set. It's not up to the resolver to
set application policy.

Paul



More information about the Unbound-users mailing list