Hi, > If an application wants to insist on DNSSEC, they simple need to query > and check for the AD bit being set. It's not up to the resolver to > set application policy.
Two reasons make this technically correct, but untractable: 1. The person wanting to enforce this policy may be a sysadmin, rather than a developer. He’d end up doing nasty things with firewalls and experience delay times. 2. I think the recursive resolver is the ultimate place to implement insisting on DNSSEC; using an overloaded bit to do it elsewhere somewhat scares me. So I, ehm, insist, that this is a useful feature to add to Unbound ;-) Thanks, -Rick _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
