Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation by default?

Roy Arends
Thu Aug 7 16:44:10 CEST 2008


On Aug 7, 2008, at 3:05 PM, Wouter Wijngaards wrote:

> * PGP Signed by an unverified key: 08/07/08 at 15:05:47
>
> Hi James,
>
> You are using an older version of Bind9 I think; since this was
> considered bad behaviour by Bind, and fixed in recent releases.
> It was fixed because some legacy boxes (adsl I think) did not like
> getting AD bits in their replies and crash or hang on it.
>
> If you just want to get an AD bit in the reply if its secure, set  
> the AD
> bit in the query to signal that you are ready and able to receive  
> the AD
> bit in the reply.
>
> That means getting your stub resolver to set 'AD' in queries.
>
> This has just been documented in the lastest dnssec-bis-updates  
> draft in
> the IETF dnsext working group.

Can we make that behavior configurable?

Roy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20080807/fce54e8f/attachment.pgp>