[Unbound-users] DNSSEC validation by default?
jakob at rfc.se
Thu Aug 7 13:25:55 UTC 2008
On 7 aug 2008, at 15.05, Wouter Wijngaards wrote:
> You are using an older version of Bind9 I think; since this was
> considered bad behaviour by Bind, and fixed in recent releases.
> It was fixed because some legacy boxes (adsl I think) did not like
> getting AD bits in their replies and crash or hang on it.
correct (and I was the one that found the bug) - some crappy NAT-boxes
dropped DNS answers with AD set.
> If you just want to get an AD bit in the reply if its secure, set
> the AD
> bit in the query to signal that you are ready and able to receive
> the AD
> bit in the reply.
> That means getting your stub resolver to set 'AD' in queries.
> This has just been documented in the lastest dnssec-bis-updates
> draft in
> the IETF dnsext working group.
yes, this is way to go.
More information about the Unbound-users