Using *only* the trust anchor for one zone?

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Jan 4 17:02:43 UTC 2023


I define a trust anchor for one specific zone (which is other wise
normally signed). However, even if I indicate a wrong trust anchor,
Unbound happily validates the zone. Checking with tcpdump, Unbound
indeed sends DNSKEY queries and, I presume, validate with the DNSKEY
or with the trust anchor, whichever works.

I would like instead to use *only* the trust anchor, without DNSKEY
queries (this is to test some unusual setups). Is it possible? I don't
find relevant configuration options for that?


More information about the Unbound-users mailing list