[Unbound-users] Insisting on DNSSEC
Rick van Rein
rick at openfortress.nl
Sat Jan 11 22:00:22 UTC 2014
Hello,
Am I correct that Unbound cannot require DNSSEC validation for its resolution?
The general DNS use case would call for security of validated insecurity, but other situations are possible too.
* You do not want to trust TLSA / CERT / … records that have not been validated
* Kerberos5 tends to mistrust DNS, but inasfar as records are signed that coudl be corrected
* An application at a CA might have a policy to only trust signed portions of DNS
So, if I am correct and there is no way to enforce DNSSEC validation on everything returned, then could such an option be added in future versions?
Thanks,
-Rick
More information about the Unbound-users
mailing list