[dns-operations] Setting DO=1 only if validation is possible

Paul Vixie vixie at isc.org
Mon Oct 5 15:18:57 UTC 2009

> From: David Conrad <drc at virtualized.org>
> Date: Sun, 4 Oct 2009 13:05:01 -0700
> > as far as i know, it is always necessary to set DO=1.
> Well, if you can guarantee (or feel comfortable not guaranteeing) that:
> a) you are not the target of a forwarder
> b) none of the stubs you are serving are going to request DNSSEC- 
> related RRs (or perhaps expect those RRs to be validated and cached)
> then it is perfectly fine to set DO=0.

sure.  this is a narrow use case similar to the recent udp-only case.

> Needless to say, it came as a surprise to me when I discovered that it
> was not possible to clear DO without recompiling code.  It was certainly
> not my intent when I wrote 3225.

understood.  maybe you should gather input for 3225-bis then.

More information about the dns-operations mailing list