Maintained by: NLnet Labs

unset the 'dnssec ok' flag in requests

Rob Andrzejewski
Thu Oct 6 19:56:38 CEST 2016

Afternoon Unbound Users,

In my particular use case of Unbound, we don't need dnssec validation.
I have disabled validation through the config and confirmed that the
server is not validating.  However, I recently did a tcpdump of my
unbound server traffic and noticed that Unbound sets the 'do' flag on
all recursive queries.
So, it is receiving all the dnssec info even though it's not using it
for validation.  Which also means it's caching all the rrsig, etc

Is there a configuration option to disable the 'do' flag on outbound requests?

Any assistance is greatly appreciated.