[dns-operations] Setting DO=1 only if validation is possible

David Conrad drc at virtualized.org
Sun Oct 4 20:05:01 UTC 2009

On Oct 4, 2009, at 10:36 AM, Paul Vixie wrote:
>> From: Florian Weimer <fw at deneb.enyo.de>
>> Date: Sun, 04 Oct 2009 16:27:51 +0000
>> ...
>> Does this mean that there are no security-aware, validating DNSSEC
>> resolvers which set DO=1 only when necessary?

Not positive, but I think Nominum's product only sets DO=1 if DNSSEC  
is configured.

> as far as i know, it is always necessary to set DO=1.

Well, if you can guarantee (or feel comfortable not guaranteeing) that:

a) you are not the target of a forwarder
b) none of the stubs you are serving are going to request DNSSEC- 
related RRs (or perhaps expect those RRs to be validated and cached)

then it is perfectly fine to set DO=0.

Needless to say, it came as a surprise to me when I discovered that it  
was not possible to clear DO without recompiling code.  It was  
certainly not my intent when I wrote 3225.


More information about the dns-operations mailing list