interaction of validation and local stubs and forwarders
Måns Nilsson
mansaxel at besserwisser.org
Fri Jan 9 15:10:52 UTC 2026
Subject: Re: interaction of validation and local stubs and forwarders Date: Fri, Jan 09, 2026 at 03:46:42PM +0100 Quoting Yorgos Thessalonikefs via Unbound-users (unbound-users at lists.nlnetlabs.nl):
> Hi Måns,
>
> Unbound needs to build a chain of trust to prove the existence or not of
> DNSSEC data.
> If access to the .se key is not possible (or the key is bogus, as an
> alternative) then the chain is not complete.
>
> Is your domain signed? Then using either of the:
> - trust-anchor-file [1], or
> - trust-anchor [2]
> options would start the chain of trust at your domain, no need for root or
> .se .
>
> Is your domain not singed? Then using domain-insecure [3] would treat that
> domain as insecure, no need for a chain of trust to prove that.
Thanks for replying. Yes, we today have done some in-house stress
tests and realised what is the right answer for this deployment. It is
good to have confirmation that we understand the problem.
Best regards,
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE SA0XLR +46 705 989668
I love ROCK 'N ROLL! I memorized the all WORDS to "WIPE-OUT" in
1965!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20260109/5b1c2732/attachment.bin>
More information about the Unbound-users
mailing list