[dns-operations] DNSSEC "strict" mode useful?
Zuleger, Holger, Vodafone DE
holger.zuleger at vodafone.com
Thu Aug 28 11:03:06 UTC 2014
> Hello,
>
> Would a DNSSEC "strict" mode in DNS resolver software be useful?
>
> I define DNSSEC "strict" mode as a mode of DNS resolver operation where
> only DNSSEC validated data will be returned.
>
> Today the default mode of operation is to return data with AD flag for
> validated data, SERVFAIL for validation failures, and data without AD
> flag for all insecure data (no DNSSEC trust chain).
>
> A DNS resolver in "strict" mode would never return data without AD flag
> to a client. So either data + AD flag or SERVFAIL.
Hmm, what about BINDs
dnssec-must-be-secure "." yes;
?
Regards
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5380 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140828/1e6e048b/attachment.bin>
More information about the dns-operations
mailing list