[Unbound-users] bug ? atleast a difference in behaviour

[Jaap Akkerhuis]

    So powerdns-recursor uses the glue and treats it as authoritative
    data.  Perhaps it has an option to change that and allow
    "hardening" of the data too (kind of as per
    draft-wijngaards-dnsext-resolver-side-mitigation-01)
    
    Unbound seems to want to verify the glue at the authoritative
    server. That' s why I thought of unbound's harden-referral-path:
    setting. It's ony of the anti-kaminsky measures of not just
    blindly trusting any using glue you got. Since there is no
    working authoritative source for titan.net, unbound with
    harden-referral-path: yes fails to resolve titan.net and therefor
    insecure.org.
    
Note that zonecheck.fr and similar sites apparently don't believe
the glue either.

	jaap