[dns-operations] Setting DO=1 only if validation is possible

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Sun Oct 4 23:29:05 UTC 2009

On Sun, Oct 04, 2009 at 01:05:01PM -0700, David Conrad wrote:
> On Oct 4, 2009, at 10:36 AM, Paul Vixie wrote:
> >>From: Florian Weimer <fw at deneb.enyo.de>
> >>Date: Sun, 04 Oct 2009 16:27:51 +0000
> >>...
> >>Does this mean that there are no security-aware, validating DNSSEC
> >>resolvers which set DO=1 only when necessary?
> Not positive, but I think Nominum's product only sets DO=1 if DNSSEC  
> is configured.
> >as far as i know, it is always necessary to set DO=1.
> Well, if you can guarantee (or feel comfortable not guaranteeing) that:
> a) you are not the target of a forwarder
> b) none of the stubs you are serving are going to request DNSSEC- 
> related RRs (or perhaps expect those RRs to be validated and cached)

	and the pmtu won't cause fragmentation and a fall back to TCP
	that won't work.

> then it is perfectly fine to set DO=0.
> Needless to say, it came as a surprise to me when I discovered that it  
> was not possible to clear DO without recompiling code.  It was  
> certainly not my intent when I wrote 3225.
> Regards,
> -drc
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list