Maintained by: NLnet Labs

[Unbound-users] DNSSEC validation by default?

James Raftery
Tue Aug 12 20:23:18 CEST 2008


On Thu, Aug 07, 2008 at 04:59:39PM +0200, Wouter Wijngaards wrote:
> The default would need to be the safe behaviour.  And the number of
> users that need the unsafe behaviour is very small.  Is an upgrade of
> the other software an option? (it was expecting AD bits in replies, so
> it can be made to set them in queries, I would think).

FreeBSD uses the BIND9 resolver library and that doesn't yet have a
supported twiddle to set AD on queries. I'll pop a note off to the ISC to
ask if it's in the pipeline.

In the meantime I've recompiled libresolv to set DO on queries and that's
working fine for the moment.

A configurable option in Unbound to have the `old BIND' behaviour while the
world's stubs catch up to the new usage of AD in queries would definitely be
good for me :)

Thanks again,
Times flies like an arrow. Fruit flies like bananas.