[Unbound-users] DNSSEC validation by default?

Jakob Schlyter jakob at rfc.se
Thu Aug 7 13:25:55 UTC 2008


On 7 aug 2008, at 15.05, Wouter Wijngaards wrote:

> You are using an older version of Bind9 I think; since this was
> considered bad behaviour by Bind, and fixed in recent releases.
> It was fixed because some legacy boxes (adsl I think) did not like
> getting AD bits in their replies and crash or hang on it.

correct (and I was the one that found the bug) - some crappy NAT-boxes  
dropped DNS answers with AD set.

> If you just want to get an AD bit in the reply if its secure, set  
> the AD
> bit in the query to signal that you are ready and able to receive  
> the AD
> bit in the reply.
>
> That means getting your stub resolver to set 'AD' in queries.
>
> This has just been documented in the lastest dnssec-bis-updates  
> draft in
> the IETF dnsext working group.

yes, this is way to go.

	jakob




More information about the Unbound-users mailing list