Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Oliver Peter
Mon Jan 13 16:09:12 CET 2014


On Sun, Jan 12, 2014 at 11:03:47AM +0100, Rick van Rein wrote:
> > If an application wants to insist on DNSSEC, they simple need to query
> > and check for the AD bit being set. It's not up to the resolver to
> > set application policy.
> 
> Two reasons make this technically correct, but untractable:
> 
> 1. The person wanting to enforce this policy may be a sysadmin, rather than a developer.  He’d end up doing nasty things with firewalls and experience delay times.
> 
> 2. I think the recursive resolver is the ultimate place to implement insisting on DNSSEC; using an overloaded bit to do it elsewhere somewhat scares me.

Why does this scare you?  If you don't trust the AD bit from your
DNSSEC validating resolver - why trust the response at all?

Perhaps DNS is not the right thing for your application.
 
> So I, ehm, insist, that this is a useful feature to add to Unbound ;-)

Unbound has been released unter the BSD license which means you are
free to svn checkout the sources and hack, hack, hack.


-- 
Oliver PETER       oliver at gfuzz.de       0x456D688F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140113/0bfd40ff/attachment.sig>