Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Phil Mayers
Mon Jan 13 16:55:47 CET 2014


On 13/01/2014 15:47, Rick van Rein wrote:
> Hello,
>
>> I understand what you want and agree with you it would be nice to have this functionality.
>> One way to do this is to run a local resolver behind a proxy that translates all answers w/o AD bit to an
>> empty answer with RCODE>0, not sure what RCODE
>
> Scary stuff.  Very, very hacky.

Shrug. As opposed to what - violating the DNS RFC?

If you want "hacky", how about an LD_PRELOAD library that patches the 
resolver queries and enforces AD=1 ;o)