On Sun, Jan 12, 2014 at 11:03:47AM +0100, Rick van Rein wrote: > > If an application wants to insist on DNSSEC, they simple need to query > > and check for the AD bit being set. It's not up to the resolver to > > set application policy. > > Two reasons make this technically correct, but untractable: > > 1. The person wanting to enforce this policy may be a sysadmin, rather than a > developer. He’d end up doing nasty things with firewalls and experience > delay times. > > 2. I think the recursive resolver is the ultimate place to implement > insisting on DNSSEC; using an overloaded bit to do it elsewhere somewhat > scares me.
Why does this scare you? If you don't trust the AD bit from your DNSSEC validating resolver - why trust the response at all? Perhaps DNS is not the right thing for your application. > So I, ehm, insist, that this is a useful feature to add to Unbound ;-) Unbound has been released unter the BSD license which means you are free to svn checkout the sources and hack, hack, hack. -- Oliver PETER [email protected] 0x456D688F
signature.asc
Description: Digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
