[Unbound-users] bug ? atleast a difference in behaviour

Paul Wouters paul at xelerance.com
Sun Sep 6 20:23:54 UTC 2009


On Sun, 6 Sep 2009, Leen Besselink wrote:

> I'm not a protocol expert, but why would you not trust the toplevel
> nameserver if DNSSEC isn't enabled ?

The records are "hints". They are published not by the zone owners,
but by there parents. This is required to void a recursion loop.
If you need ns1.example.com. to find ns1.example.com. someone else
will have to tell you. This is what glue records are for.

Since these are "out of zone" records, they are considered hints.
It's common sense to verify the information at the proper source.

It's like verifying gossip :)

Paul



More information about the Unbound-users mailing list