[dns-operations] DNSSEC "strict" mode useful?

Zuleger, Holger, Vodafone DE holger.zuleger at vodafone.com
Thu Aug 28 11:03:06 UTC 2014


> Hello,
> 
> Would a DNSSEC "strict" mode in DNS resolver software be useful?
> 
> I define DNSSEC "strict" mode as a mode of DNS resolver operation where
> only DNSSEC validated data will be returned.
> 
> Today the default mode of operation is to return data with AD flag for
> validated data, SERVFAIL for validation failures, and data without AD
> flag for all insecure data (no DNSSEC trust chain).
> 
> A DNS resolver in "strict" mode would never return data without AD flag
> to a client. So either data + AD flag or SERVFAIL.
Hmm, what about BINDs

	dnssec-must-be-secure "." yes;
?

Regards
 Holger


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5380 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140828/1e6e048b/attachment.bin>


More information about the dns-operations mailing list