Maintained by: NLnet Labs

[Unbound-users] Delegation-only zones and non-root zone RFC 5011?

Viktor Dukhovni
Sat Jan 17 23:08:48 CET 2015

It would be nice if unbound were able to enforce "delegation-only"
zones that contain only delegations and glue.  This would be useful
for the root zone and various TLDs.  Otherwise, such zones can
return apparently valid signed responses that should have been
delegated to a child zone, but for some reason were not.

This feature is of course not urgent, it would be more useful if
for various TLDs (and not just the root) it were feasible to "pin"
the DNSKEY RRs via RFC 5011, and/or "transparency" of some kind
were implemented for DNSSEC.

Still I think it would be useful to consider whether and when to
include such a feature.  I may of course not have thought this
through properly, ...

Also, how would one configure unbound to use an auto-trust-anchor-file
via RFC 5011 for a given gTLD or ccTLD?