On Sun, 12 Jan 2014, Rick van Rein wrote:
I *think* I am asking for something new — namely, to insist on presence of DNSSEC and proper validation on it. In other words, to be able to neglect anything that is not properly signed.
If an application wants to insist on DNSSEC, they simple need to query and check for the AD bit being set. It's not up to the resolver to set application policy. Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
