Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Rick van Rein
Sun Jan 12 11:03:47 CET 2014


> If an application wants to insist on DNSSEC, they simple need to query
> and check for the AD bit being set. It's not up to the resolver to
> set application policy.

Two reasons make this technically correct, but untractable:

1. The person wanting to enforce this policy may be a sysadmin, rather than a developer.  He’d end up doing nasty things with firewalls and experience delay times.

2. I think the recursive resolver is the ultimate place to implement insisting on DNSSEC; using an overloaded bit to do it elsewhere somewhat scares me.

So I, ehm, insist, that this is a useful feature to add to Unbound ;-)