So powerdns-recursor uses the glue and treats it as authoritative
data. Perhaps it has an option to change that and allow
"hardening" of the data too (kind of as per
draft-wijngaards-dnsext-resolver-side-mitigation-01)
Unbound seems to want to verify the glue at the authoritative
server. That' s why I thought of unbound's harden-referral-path:
setting. It's ony of the anti-kaminsky measures of not just
blindly trusting any using glue you got. Since there is no
working authoritative source for titan.net, unbound with
harden-referral-path: yes fails to resolve titan.net and therefor
insecure.org.
Note that zonecheck.fr and similar sites apparently don't believe
the glue either.
jaap
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
