Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation by default?

James Raftery
Thu Aug 7 16:34:27 CEST 2008


On Thu, Aug 07, 2008 at 03:05:47PM +0200, Wouter Wijngaards wrote:
> It was fixed because some legacy boxes (adsl I think) did not like
> getting AD bits in their replies and crash or hang on it.

Grr! That's annoying. You're right; I'm using BIND 9.3 on the DNSSEC

> That means getting your stub resolver to set 'AD' in queries.
> Sorry for the breakage,

lol  No problem - it's not your fault :)  My stub has a RES_USE_DNSSEC macro
to set DO if I recompile (yuk) but not a ready-made knob to set AD. I'll
experiment with DO and see how it goes. I don't particularly want my stub
getting all the RRSIGs, etc. Ah well. It looks like I'll have to keep BIND
9.3 for the short-term :/

Thanks for your reply (and for Unbound)!

All the best,
Times flies like an arrow. Fruit flies like bananas.