Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Anand Buddhdev
Sat Jan 11 23:16:05 CET 2014


On 11/01/2014 23:00, Rick van Rein wrote:

Hi Rick,

> Am I correct that Unbound cannot require DNSSEC validation for its
> resolution?

Not sure what you are asking here. If unbound is configured with the
root trust anchor, it will validate everything it can. Of course, if a
zone is not signed, then there's nothing to validate. Additionally, a
user can send a query with the CD flag set, and then unbound will send
results, even if validation failed.

Are you suggesting that unbound ignore the CD flag? Or are you asking
for something else?

Anand Buddhdev
RIPE NCC