Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Rick van Rein
Mon Jan 13 16:47:09 CET 2014


Hello,

> I understand what you want and agree with you it would be nice to have this functionality. 
> One way to do this is to run a local resolver behind a proxy that translates all answers w/o AD bit to an 
> empty answer with RCODE>0, not sure what RCODE 

Scary stuff.  Very, very hacky.

> A better way might be to propose an EDNS0 option that expresses to the resolver: 
> 	only answer if AD==1 
> and defines a new RCODE to express only insecure answer exists.

At the protocol level, that would be the proper resolution.  But I doubt anyone is going to find that acceptable — I think the full force of the IETF is going to tell us that this is to be arranged in the resolver.  And I would agree with them.

> This way applications that want this functionality get it and all others that use the resolver
> are not affected. 

It’s always possible to make this view-dependent, and/or to run multiple resolver instances.  I don’t think I’d ever combine this functionality with the default resolver on a network, but rather run it on a machine that requires this facility — so as to bypass LAN dangers (such as its users).

-Rick