On 20/03/13 11:55, Joe Abley wrote: > > On 2013-03-20, at 05:55, Phil Pennock > <unbound-users+phil at spodhuis.org> wrote: > >> Mind, I think that unbound's approach is sane and I'm happy it is >> as it is, but still, if an application wants to _rely_ on DNSSEC, >> then it should be setting the DO flag and checking AD. This >> affects forthcoming DANE support, for instance. > > I think if an application wants to _rely_ on DNSSEC, then it should > be setting the DO bit and the CD bit, and doing its own validation. In the general case I would agree. There might be specific cases where this doesn't make sense - for example, if you have an MTA with a local caching resolver, accessed over 127.0.0.1, trusting AD is reasonable.