Maintained by: NLnet Labs

[Unbound-users] Google Public DNS

Phil Mayers
Wed Mar 20 15:08:09 CET 2013


On 20/03/13 11:55, Joe Abley wrote:
>
> On 2013-03-20, at 05:55, Phil Pennock
> <unbound-users+phil at spodhuis.org> wrote:
>
>> Mind, I think that unbound's approach is sane and I'm happy it is
>> as it is, but still, if an application wants to _rely_ on DNSSEC,
>> then it should be setting the DO flag and checking AD.  This
>> affects forthcoming DANE support, for instance.
>
> I think if an application wants to _rely_ on DNSSEC, then it should
> be setting the DO bit and the CD bit, and doing its own validation.

In the general case I would agree. There might be specific cases where 
this doesn't make sense - for example, if you have an MTA with a local 
caching resolver, accessed over 127.0.0.1, trusting AD is reasonable.