Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Rick van Rein
Sat Jan 11 23:00:22 CET 2014


Am I correct that Unbound cannot require DNSSEC validation for its resolution?

The general DNS use case would call for security of validated insecurity, but other situations are possible too.
 * You do not want to trust TLSA / CERT / … records that have not been validated
 * Kerberos5 tends to mistrust DNS, but inasfar as records are signed that coudl be corrected
 * An application at a CA might have a policy to only trust signed portions of DNS

So, if I am correct and there is no way to enforce DNSSEC validation on everything returned, then could such an option be added in future versions?