unset the 'dnssec ok' flag in requests

Ralph Dolmans ralph at nlnetlabs.nl
Fri Oct 7 13:17:53 UTC 2016

Hi Rob,

No, Unbound does not have a configuration option to disable the DO flag
on outgoing queries.

-- Ralph

On 06-10-16 19:56, Rob Andrzejewski via Unbound-users wrote:
> Afternoon Unbound Users,
> In my particular use case of Unbound, we don't need dnssec validation.
> I have disabled validation through the config and confirmed that the
> server is not validating.  However, I recently did a tcpdump of my
> unbound server traffic and noticed that Unbound sets the 'do' flag on
> all recursive queries.
> So, it is receiving all the dnssec info even though it's not using it
> for validation.  Which also means it's caching all the rrsig, etc
> records.
> Is there a configuration option to disable the 'do' flag on outbound requests?
> Any assistance is greatly appreciated.
> Thanks,
> RA

More information about the Unbound-users mailing list