harden-unverified-glue
T.Suzuki
tss at reflection.co.jp
Wed Jun 11 10:40:41 UTC 2025
Hi
The unbound.conf setting "harden-unverified-glue: yes" made me happy.
The Additional Section of the delegation response from .net to tkix.net contains junk
records intentionally included for experimental purposes.
This occurs because .net does not clean up host information previously registered as glue.
Accepting this Additional Section would be dangerous.
With the recent new feature "harden-unverified-glue: yes," we can now eliminate this issue.
Note: Some domain names may become unresolvable.
However, we should stop the harmful over-interpretation of Postel's Law.
--
T.Suzuki
More information about the Unbound-users
mailing list