Should DNSSEC work using udns + unbound with DNSSEC ?
Michael Tokarev
mjt at tls.msk.ru
Fri May 3 17:20:57 MSK 2013
03.05.2013 16:40, Iñaki Baz Castillo wrote:
> Hi, I've configured DNSSEC in unbound. If my udns client sends DNS
> queries to this unbound, should DNSSEC work out of the box?
Yes it works. But it does not do validation itself, it relies on the
actual (recursive) nameserver to do so.
The only thing needed on the (dumb) client side is to ask set appropriate
bit on the query, -- telling that the recursive resolver should do DNSSEC
validation. This can be enabled on per-query basis and per-invocation basis,
using query flags. The client should also verify that the answer has the
appropriate bit (AD) set too, -- but this is _not_ done by the library,
because application may handle this situation differently.
dnsget utility has -o dnssec option for that. It does not verify the presence
of the AD bit, it just prints out the result received from the nameserver.
Regards,
/mjt
More information about the udns
mailing list