[dns-operations] Setting DO=1 only if validation is possible
David Conrad
drc at virtualized.org
Sun Oct 4 20:05:01 UTC 2009
On Oct 4, 2009, at 10:36 AM, Paul Vixie wrote:
>> From: Florian Weimer <fw at deneb.enyo.de>
>> Date: Sun, 04 Oct 2009 16:27:51 +0000
>> ...
>> Does this mean that there are no security-aware, validating DNSSEC
>> resolvers which set DO=1 only when necessary?
Not positive, but I think Nominum's product only sets DO=1 if DNSSEC
is configured.
> as far as i know, it is always necessary to set DO=1.
Well, if you can guarantee (or feel comfortable not guaranteeing) that:
a) you are not the target of a forwarder
b) none of the stubs you are serving are going to request DNSSEC-
related RRs (or perhaps expect those RRs to be validated and cached)
then it is perfectly fine to set DO=0.
Needless to say, it came as a surprise to me when I discovered that it
was not possible to clear DO without recompiling code. It was
certainly not my intent when I wrote 3225.
Regards,
-drc
More information about the dns-operations
mailing list