[Unbound-users] DNSSEC validation by default?
James Raftery
james at now.ie
Thu Aug 7 14:34:27 UTC 2008
Hi,
On Thu, Aug 07, 2008 at 03:05:47PM +0200, Wouter Wijngaards wrote:
> It was fixed because some legacy boxes (adsl I think) did not like
> getting AD bits in their replies and crash or hang on it.
Grr! That's annoying. You're right; I'm using BIND 9.3 on the DNSSEC
resolvers.
> That means getting your stub resolver to set 'AD' in queries.
> Sorry for the breakage,
lol No problem - it's not your fault :) My stub has a RES_USE_DNSSEC macro
to set DO if I recompile (yuk) but not a ready-made knob to set AD. I'll
experiment with DO and see how it goes. I don't particularly want my stub
getting all the RRSIGs, etc. Ah well. It looks like I'll have to keep BIND
9.3 for the short-term :/
Thanks for your reply (and for Unbound)!
All the best,
james
--
Times flies like an arrow. Fruit flies like bananas.
More information about the Unbound-users
mailing list