[Unbound-users] DNSSEC validation by default?
Roy Arends
roy at dnss.ec
Thu Aug 7 14:44:10 UTC 2008
On Aug 7, 2008, at 3:05 PM, Wouter Wijngaards wrote:
> * PGP Signed by an unverified key: 08/07/08 at 15:05:47
>
> Hi James,
>
> You are using an older version of Bind9 I think; since this was
> considered bad behaviour by Bind, and fixed in recent releases.
> It was fixed because some legacy boxes (adsl I think) did not like
> getting AD bits in their replies and crash or hang on it.
>
> If you just want to get an AD bit in the reply if its secure, set
> the AD
> bit in the query to signal that you are ready and able to receive
> the AD
> bit in the reply.
>
> That means getting your stub resolver to set 'AD' in queries.
>
> This has just been documented in the lastest dnssec-bis-updates
> draft in
> the IETF dnsext working group.
Can we make that behavior configurable?
Roy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20080807/fce54e8f/attachment.bin>
More information about the Unbound-users
mailing list