[dns-operations] Setting DO=1 only if validation is possible
Paul Vixie
vixie at isc.org
Mon Oct 5 15:18:57 UTC 2009
> From: David Conrad <drc at virtualized.org>
> Date: Sun, 4 Oct 2009 13:05:01 -0700
>
> > as far as i know, it is always necessary to set DO=1.
>
> Well, if you can guarantee (or feel comfortable not guaranteeing) that:
>
> a) you are not the target of a forwarder
> b) none of the stubs you are serving are going to request DNSSEC-
> related RRs (or perhaps expect those RRs to be validated and cached)
>
> then it is perfectly fine to set DO=0.
sure. this is a narrow use case similar to the recent udp-only case.
> Needless to say, it came as a surprise to me when I discovered that it
> was not possible to clear DO without recompiling code. It was certainly
> not my intent when I wrote 3225.
understood. maybe you should gather input for 3225-bis then.
More information about the dns-operations
mailing list