The question to answer is: How many stub resolver do set DO/AD flag or eve allow to set it? So this doesn't make much sense to me to implement in Unbound too, since I consider this practically useless.
Ondřej Surý On 20. 3. 2013, at 7:49, "Marco Davids (SIDN)" <[email protected]> wrote: > Hi, > > I suppose many of us read Google's announcement yesterday: > > > http://googleonlinesecurity.blogspot.nl/2013/03/google-public-dns-now-supports-dnssec.html > > Now, Google Public DNS only validates when either the DO-bit or, according to > RFC6840, the AD-bit is set in the query. > > https://developers.google.com/speed/public-dns/faq#dnssec > > Validation upon request, instead of ignoring validation by means of the > CD-bit, so to speak. > > In a way, I kind of like the idea. As for some environments -such as the one > at Google- it might (for now) be a good alternative.It sort of adheres to the > idea; "everything stays the same, unless you want it to be different" (which > at the same time may be considered as undesirable...). > > Anyway... > > I was wondering what the opinions are on this list, regarding the > design-choices of Google. And if this feature is being considered for Unbound > (in addition to the already present ' val-permissive' mode)? > > Regards, > -- > Marco > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
