Hi Sen Dion, This is not needed. Unbound can keep apart unsigned domains and domains where the crypto fails or is missing. This is a feature of DNSSEC, where there is a signature over data that says the domain is unsigned. So the user can trust the absence of the ad flag (and the data is then insecure, but we know securely that it could arrive without signatures).
Best regards, Wouter On 02/04/17 21:07, Sen Dion via Unbound-users wrote: > Hello Everybody, > > It looks like there is an assumption that it is an application > responsibility to get user consent before accessing an unsigned domain > (whenever 'ad' flag is not set). AFAIK, that is not the case: majority > of applications is not 'ad' flag aware. > > > How to prevent accesses to unsigned domains from these applications? Is > there a way to force resolution failure (in unbound) for an unsigned > domain? > > Regards, > Sen Dion >
signature.asc
Description: OpenPGP digital signature
