[Unbound-users] Insisting on DNSSEC
Rick van Rein
rick at openfortress.nl
Sun Jan 12 10:03:47 UTC 2014
Hi,
> If an application wants to insist on DNSSEC, they simple need to query
> and check for the AD bit being set. It's not up to the resolver to
> set application policy.
Two reasons make this technically correct, but untractable:
1. The person wanting to enforce this policy may be a sysadmin, rather than a developer. He’d end up doing nasty things with firewalls and experience delay times.
2. I think the recursive resolver is the ultimate place to implement insisting on DNSSEC; using an overloaded bit to do it elsewhere somewhat scares me.
So I, ehm, insist, that this is a useful feature to add to Unbound ;-)
Thanks,
-Rick
More information about the Unbound-users
mailing list