Subject: Re: interaction of validation and local stubs and forwarders Date: Fri, Jan 09, 2026 at 03:46:42PM +0100 Quoting Yorgos Thessalonikefs via Unbound-users ([email protected]): > Hi Måns, > > Unbound needs to build a chain of trust to prove the existence or not of > DNSSEC data. > If access to the .se key is not possible (or the key is bogus, as an > alternative) then the chain is not complete. > > Is your domain signed? Then using either of the: > - trust-anchor-file [1], or > - trust-anchor [2] > options would start the chain of trust at your domain, no need for root or > .se . > > Is your domain not singed? Then using domain-insecure [3] would treat that > domain as insecure, no need for a chain of trust to prove that.
Thanks for replying. Yes, we today have done some in-house stress tests and realised what is the right answer for this deployment. It is good to have confirmation that we understand the problem. Best regards, -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 I love ROCK 'N ROLL! I memorized the all WORDS to "WIPE-OUT" in 1965!!
signature.asc
Description: PGP signature
