Maintained by: NLnet Labs

unset the 'dnssec ok' flag in requests

Ralph Dolmans
Fri Oct 7 15:17:53 CEST 2016


Hi Rob,

No, Unbound does not have a configuration option to disable the DO flag
on outgoing queries.

Regards,
-- Ralph

On 06-10-16 19:56, Rob Andrzejewski via Unbound-users wrote:
> Afternoon Unbound Users,
> 
> In my particular use case of Unbound, we don't need dnssec validation.
> I have disabled validation through the config and confirmed that the
> server is not validating.  However, I recently did a tcpdump of my
> unbound server traffic and noticed that Unbound sets the 'do' flag on
> all recursive queries.
> So, it is receiving all the dnssec info even though it's not using it
> for validation.  Which also means it's caching all the rrsig, etc
> records.
> 
> Is there a configuration option to disable the 'do' flag on outbound requests?
> 
> Any assistance is greatly appreciated.
> 
> Thanks,
> RA
>