On 20/03/13 11:55, Joe Abley wrote:
On 2013-03-20, at 05:55, Phil Pennock
<[email protected]> wrote:
Mind, I think that unbound's approach is sane and I'm happy it is
as it is, but still, if an application wants to _rely_ on DNSSEC,
then it should be setting the DO flag and checking AD. This
affects forthcoming DANE support, for instance.
I think if an application wants to _rely_ on DNSSEC, then it should
be setting the DO bit and the CD bit, and doing its own validation.
In the general case I would agree. There might be specific cases where
this doesn't make sense - for example, if you have an MTA with a local
caching resolver, accessed over 127.0.0.1, trusting AD is reasonable.
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
