[dns-operations] Setting DO=1 only if validation is possible
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Sun Oct 4 23:29:05 UTC 2009
On Sun, Oct 04, 2009 at 01:05:01PM -0700, David Conrad wrote:
> On Oct 4, 2009, at 10:36 AM, Paul Vixie wrote:
> >>From: Florian Weimer <fw at deneb.enyo.de>
> >>Date: Sun, 04 Oct 2009 16:27:51 +0000
> >>...
> >>Does this mean that there are no security-aware, validating DNSSEC
> >>resolvers which set DO=1 only when necessary?
>
> Not positive, but I think Nominum's product only sets DO=1 if DNSSEC
> is configured.
>
> >as far as i know, it is always necessary to set DO=1.
>
> Well, if you can guarantee (or feel comfortable not guaranteeing) that:
>
> a) you are not the target of a forwarder
> b) none of the stubs you are serving are going to request DNSSEC-
> related RRs (or perhaps expect those RRs to be validated and cached)
and the pmtu won't cause fragmentation and a fall back to TCP
that won't work.
>
> then it is perfectly fine to set DO=0.
>
> Needless to say, it came as a surprise to me when I discovered that it
> was not possible to clear DO without recompiling code. It was
> certainly not my intent when I wrote 3225.
>
> Regards,
> -drc
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list