[dns-operations] Setting DO=1 only if validation is possible

Florian Weimer fw at deneb.enyo.de
Sun Oct 4 16:27:51 UTC 2009


BIND and Unbound set DO=1 unconditionally.

I took the liberty and tested 68.87.64.154 (one of Comcast's DNSSEC
test servers, <http://www.dnssec.comcast.net/>) to see if it sets DO=1
on upstream queries even if there is an obvious lack of trust anchors
and the client didn't send a DO=1 query.  It seems to always set DO=1.
According to Comcast's web page and to fpdns, this host is running
Nominum's recursor.

Does this mean that there are no security-aware, validating DNSSEC
resolvers which set DO=1 only when necessary?



More information about the dns-operations mailing list