Maintained by: NLnet Labs

[Unbound-users] Google Public DNS

Phil Pennock
Wed Mar 20 10:55:38 CET 2013


On 2013-03-20 at 08:22 +0100, Ondřej Surý wrote:
> The question to answer is: How many stub resolver do set DO/AD flag or eve allow to set it? So this doesn't make much sense to me to implement in Unbound too, since I consider this practically useless.

Client applications can set it, because stub resolvers do permit it to
be set.  It's the RES_USE_DNSSEC flag for the resolver options field in
the resolv.h interface; if your platform doesn't use resolv.h, pass.

Exim current git head does this, if the dns_use_dnssec option is set; I
added it last June.

Mind, I think that unbound's approach is sane and I'm happy it is as it
is, but still, if an application wants to _rely_ on DNSSEC, then it
should be setting the DO flag and checking AD.  This affects forthcoming
DANE support, for instance.