Maintained by: NLnet Labs

How to force resolution failure of an unsigned domain

Sen Dion
Sun Apr 2 21:07:29 CEST 2017

   Hello Everybody,

It looks like there is an assumption that it is an application 
responsibility to get user consent before accessing an unsigned domain 
(whenever 'ad' flag is not set).  AFAIK, that is not the case: majority 
of applications is not 'ad' flag aware.

How to prevent accesses to unsigned domains from these applications?  Is 
there a way to force resolution failure (in unbound) for an unsigned 

   Sen Dion