Hello, > I understand what you want and agree with you it would be nice to have this > functionality. > One way to do this is to run a local resolver behind a proxy that translates > all answers w/o AD bit to an > empty answer with RCODE>0, not sure what RCODE
Scary stuff. Very, very hacky. > A better way might be to propose an EDNS0 option that expresses to the > resolver: > only answer if AD==1 > and defines a new RCODE to express only insecure answer exists. At the protocol level, that would be the proper resolution. But I doubt anyone is going to find that acceptable — I think the full force of the IETF is going to tell us that this is to be arranged in the resolver. And I would agree with them. > This way applications that want this functionality get it and all others that > use the resolver > are not affected. It’s always possible to make this view-dependent, and/or to run multiple resolver instances. I don’t think I’d ever combine this functionality with the default resolver on a network, but rather run it on a machine that requires this facility — so as to bypass LAN dangers (such as its users). -Rick _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
