Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Paul Wouters
Sun Jan 12 04:20:22 CET 2014

On Sun, 12 Jan 2014, Rick van Rein wrote:

> I *think* I am asking for something new — namely, to insist on presence of DNSSEC and proper validation on it.  In other words, to be able to neglect anything that is not properly signed.

If an application wants to insist on DNSSEC, they simple need to query
and check for the AD bit being set. It's not up to the resolver to
set application policy.