Jaap Akkerhuis wrote: > So powerdns-recursor uses the glue and treats it as authoritative > data. Perhaps it has an option to change that and allow > "hardening" of the data too (kind of as per > draft-wijngaards-dnsext-resolver-side-mitigation-01) > > Unbound seems to want to verify the glue at the authoritative > server. That' s why I thought of unbound's harden-referral-path: > setting. It's ony of the anti-kaminsky measures of not just > blindly trusting any using glue you got. Since there is no > working authoritative source for titan.net, unbound with > harden-referral-path: yes fails to resolve titan.net and therefor > insecure.org. > > Note that zonecheck.fr and similar sites apparently don't believe > the glue either. >
I'm not a protocol expert, but why would you not trust the toplevel nameserver if DNSSEC isn't enabled ? > jaap > _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
