Maintained by: NLnet Labs

[Unbound-users] Google Public DNS

Joe Abley
Wed Mar 20 12:55:57 CET 2013


On 2013-03-20, at 05:55, Phil Pennock <unbound-users+phil at spodhuis.org> wrote:

> Mind, I think that unbound's approach is sane and I'm happy it is as it
> is, but still, if an application wants to _rely_ on DNSSEC, then it
> should be setting the DO flag and checking AD.  This affects forthcoming
> DANE support, for instance.

I think if an application wants to _rely_ on DNSSEC, then it should be setting the DO bit and the CD bit, and doing its own validation.


Joe