Maintained by: NLnet Labs

"domain-insecure" no longer necessary?

Daisuke HIGASHI
Sun May 8 16:35:46 CEST 2016


Hi, Stephane

Isn't that TLD signed with NSEC3 Opt-Out ?

2016-05-08 23:12 GMT+09:00 Stephane Bortzmeyer via Unbound-users
<unbound-users at unbound.net>:
> I have some dummy domains (not existing in the real public DNS) in my
> unbound.conf, using "forward-zone". It seems to me that it was
> necessary to add also "domain-insecure" for these domains when their
> parent is signed.
>
> But I just added a second-level domain of a signed TLD as
> "forward-zone" and it worked fine without "domain-insecure".
>
> Did anything change in the semantics of forward-zone?
>
> Version 1.5.8
> linked libs: libevent 2.0.22-stable (it uses epoll), OpenSSL 1.0.2h  3
> May 2016
> linked modules: dns64 validator iterator