[Unbound-users] DNSSEC validation by default?
james at now.ie
Tue Aug 12 18:23:18 UTC 2008
On Thu, Aug 07, 2008 at 04:59:39PM +0200, Wouter Wijngaards wrote:
> The default would need to be the safe behaviour. And the number of
> users that need the unsafe behaviour is very small. Is an upgrade of
> the other software an option? (it was expecting AD bits in replies, so
> it can be made to set them in queries, I would think).
FreeBSD uses the BIND9 resolver library and that doesn't yet have a
supported twiddle to set AD on queries. I'll pop a note off to the ISC to
ask if it's in the pipeline.
In the meantime I've recompiled libresolv to set DO on queries and that's
working fine for the moment.
A configurable option in Unbound to have the `old BIND' behaviour while the
world's stubs catch up to the new usage of AD in queries would definitely be
good for me :)
Times flies like an arrow. Fruit flies like bananas.
More information about the Unbound-users