[dns-operations] DNSSEC "strict" mode useful?
Zuleger, Holger, Vodafone DE
holger.zuleger at vodafone.com
Thu Aug 28 11:03:06 UTC 2014
> Would a DNSSEC "strict" mode in DNS resolver software be useful?
> I define DNSSEC "strict" mode as a mode of DNS resolver operation where
> only DNSSEC validated data will be returned.
> Today the default mode of operation is to return data with AD flag for
> validated data, SERVFAIL for validation failures, and data without AD
> flag for all insecure data (no DNSSEC trust chain).
> A DNS resolver in "strict" mode would never return data without AD flag
> to a client. So either data + AD flag or SERVFAIL.
Hmm, what about BINDs
dnssec-must-be-secure "." yes;
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5380 bytes
Desc: not available
More information about the dns-operations