[Unbound-users] Insisting on DNSSEC
Rick van Rein
rick at openfortress.nl
Mon Jan 13 15:47:09 UTC 2014
Hello,
> I understand what you want and agree with you it would be nice to have this functionality.
> One way to do this is to run a local resolver behind a proxy that translates all answers w/o AD bit to an
> empty answer with RCODE>0, not sure what RCODE
Scary stuff. Very, very hacky.
> A better way might be to propose an EDNS0 option that expresses to the resolver:
> only answer if AD==1
> and defines a new RCODE to express only insecure answer exists.
At the protocol level, that would be the proper resolution. But I doubt anyone is going to find that acceptable — I think the full force of the IETF is going to tell us that this is to be arranged in the resolver. And I would agree with them.
> This way applications that want this functionality get it and all others that use the resolver
> are not affected.
It’s always possible to make this view-dependent, and/or to run multiple resolver instances. I don’t think I’d ever combine this functionality with the default resolver on a network, but rather run it on a machine that requires this facility — so as to bypass LAN dangers (such as its users).
-Rick
More information about the Unbound-users
mailing list