Hi Luca,
This is not possible. The validator module always tries to validate the
records so that they are entered in the cache with the appropriate
DNSSEC status.
This also allows for bogus answers to be cached with the configured
'val-bogus-ttl:' (default 60 secs; to prevent repeated revalidation of
bogus data) since the TTL from the bogus answer cannot be trusted.
As a side note you could use 'domain-insecure:' for specific zones and
that would signal the validator to not attempt validation there (so no
DNSKEY queries), but I don't think that is relevant with your question.
Best regards,
-- George
On 15/04/2022 15:52, Luca via Unbound-users wrote:
Hello,
I've been running unbound 1.6.6 on CentOS7 and noticed that DNSSEC
related queries (e.g. DNSKEY) are issued even if the original query
requires DNSSEC validation to not be performed (CD flag enabled) . Is it
possible to make unbound to not issue those DNSSEC queries without
disabling the validator module?
Thanks,
Luca
