unset the 'dnssec ok' flag in requests

Rob Andrzejewski randrzejewski at constantcontact.com
Thu Oct 6 17:56:38 UTC 2016


Afternoon Unbound Users,

In my particular use case of Unbound, we don't need dnssec validation.
I have disabled validation through the config and confirmed that the
server is not validating.  However, I recently did a tcpdump of my
unbound server traffic and noticed that Unbound sets the 'do' flag on
all recursive queries.
So, it is receiving all the dnssec info even though it's not using it
for validation.  Which also means it's caching all the rrsig, etc
records.

Is there a configuration option to disable the 'do' flag on outbound requests?

Any assistance is greatly appreciated.

Thanks,
RA



More information about the Unbound-users mailing list