"domain-insecure" no longer necessary?

Daisuke HIGASHI daisuke.higashi at gmail.com
Sun May 8 14:35:46 UTC 2016

Hi, Stephane

Isn't that TLD signed with NSEC3 Opt-Out ?

2016-05-08 23:12 GMT+09:00 Stephane Bortzmeyer via Unbound-users
<unbound-users at unbound.net>:
> I have some dummy domains (not existing in the real public DNS) in my
> unbound.conf, using "forward-zone". It seems to me that it was
> necessary to add also "domain-insecure" for these domains when their
> parent is signed.
> But I just added a second-level domain of a signed TLD as
> "forward-zone" and it worked fine without "domain-insecure".
> Did anything change in the semantics of forward-zone?
> Version 1.5.8
> linked libs: libevent 2.0.22-stable (it uses epoll), OpenSSL 1.0.2h  3
> May 2016
> linked modules: dns64 validator iterator

More information about the Unbound-users mailing list