[Unbound-users] Insisting on DNSSEC
Olafur Gudmundsson
ogud at ogud.com
Mon Jan 13 19:46:51 UTC 2014
On Jan 13, 2014, at 10:54 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 13/01/2014 15:14, Olafur Gudmundsson wrote:
>
>> A better way might be to propose an EDNS0 option that expresses to the resolver:
>> only answer if AD==1
>> and defines a new RCODE to express only insecure answer exists.
>
> I don't see how this helps. If the application can't be updated to check AD=1, then it presumably can't be updated to send an EDNS option.
>
> Or if you're proposing to patch the libc resolver, then it could just as easily force/check AD=1, surely?
I mentioned one way this could be done in protocol, another way is to do it in resolver library,
if an application can tell resolver library ONLY AD=1 then that works as long as the application knows.
Olafur
ps: I hope libc DNS library be retired, adding this functionality to libunbound or libldns should not be that hard,
More information about the Unbound-users
mailing list