[Unbound-users] DNSSEC validation by default?
roy at dnss.ec
Thu Aug 7 14:44:10 UTC 2008
On Aug 7, 2008, at 3:05 PM, Wouter Wijngaards wrote:
> * PGP Signed by an unverified key: 08/07/08 at 15:05:47
> Hi James,
> You are using an older version of Bind9 I think; since this was
> considered bad behaviour by Bind, and fixed in recent releases.
> It was fixed because some legacy boxes (adsl I think) did not like
> getting AD bits in their replies and crash or hang on it.
> If you just want to get an AD bit in the reply if its secure, set
> the AD
> bit in the query to signal that you are ready and able to receive
> the AD
> bit in the reply.
> That means getting your stub resolver to set 'AD' in queries.
> This has just been documented in the lastest dnssec-bis-updates
> draft in
> the IETF dnsext working group.
Can we make that behavior configurable?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: not available
More information about the Unbound-users