Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Olafur Gudmundsson
Mon Jan 13 16:14:20 CET 2014

On Jan 11, 2014, at 5:00 PM, Rick van Rein <rick at> wrote:

> Hello,
> Am I correct that Unbound cannot require DNSSEC validation for its resolution?
> The general DNS use case would call for security of validated insecurity, but other situations are possible too.
> * You do not want to trust TLSA / CERT / … records that have not been validated
> * Kerberos5 tends to mistrust DNS, but inasfar as records are signed that coudl be corrected
> * An application at a CA might have a policy to only trust signed portions of DNS
> So, if I am correct and there is no way to enforce DNSSEC validation on everything returned, then could such an option be added in future versions?


Strictly speaking you are asking unbound do something that RFC4035 out-laws, i.e. see section 4.3,
Insecure is always returned.

I understand what you want and agree with you it would be nice to have this functionality. 
One way to do this is to run a local resolver behind a proxy that translates all answers w/o AD bit to an 
empty answer with RCODE>0, not sure what RCODE 

A better way might be to propose an EDNS0 option that expresses to the resolver: 
	only answer if AD==1 
and defines a new RCODE to express only insecure answer exists.

This way applications that want this functionality get it and all others that use the resolver
are not affected.