[Unbound-users] Google Public DNS

Joe Abley jabley at hopcount.ca
Wed Mar 20 11:55:57 UTC 2013


On 2013-03-20, at 05:55, Phil Pennock <unbound-users+phil at spodhuis.org> wrote:

> Mind, I think that unbound's approach is sane and I'm happy it is as it
> is, but still, if an application wants to _rely_ on DNSSEC, then it
> should be setting the DO flag and checking AD.  This affects forthcoming
> DANE support, for instance.

I think if an application wants to _rely_ on DNSSEC, then it should be setting the DO bit and the CD bit, and doing its own validation.


Joe



More information about the Unbound-users mailing list