Maintained by: NLnet Labs

[Unbound-users] Insisting on DNSSEC

Phil Mayers
Mon Jan 13 16:54:44 CET 2014


On 13/01/2014 15:14, Olafur Gudmundsson wrote:

> A better way might be to propose an EDNS0 option that expresses to the resolver:
> 	only answer if AD==1
> and defines a new RCODE to express only insecure answer exists.

I don't see how this helps. If the application can't be updated to check 
AD=1, then it presumably can't be updated to send an EDNS option.

Or if you're proposing to patch the libc resolver, then it could just as 
easily force/check AD=1, surely?