Unbound and DNSSEC validation
George Thessalonikefs
george at nlnetlabs.nl
Wed Apr 20 01:23:15 UTC 2022
Hi Luca,
This is not possible. The validator module always tries to validate the
records so that they are entered in the cache with the appropriate
DNSSEC status.
This also allows for bogus answers to be cached with the configured
'val-bogus-ttl:' (default 60 secs; to prevent repeated revalidation of
bogus data) since the TTL from the bogus answer cannot be trusted.
As a side note you could use 'domain-insecure:' for specific zones and
that would signal the validator to not attempt validation there (so no
DNSKEY queries), but I don't think that is relevant with your question.
Best regards,
-- George
On 15/04/2022 15:52, Luca via Unbound-users wrote:
> Hello,
>
> I've been running unbound 1.6.6 on CentOS7 and noticed that DNSSEC
> related queries (e.g. DNSKEY) are issued even if the original query
> requires DNSSEC validation to not be performed (CD flag enabled) . Is it
> possible to make unbound to not issue those DNSSEC queries without
> disabling the validator module?
>
>
> Thanks,
>
>
> Luca
>
More information about the Unbound-users
mailing list