[dns-operations] DNSSEC validating clients that use upstream caching resolvers?

Phil Vandry vandry at TZoNE.ORG
Mon Feb 14 04:54:44 UTC 2011

Hi DNS operators,

(Forgive me if this is a FAQ but I've not found the answer with Google)

I would like to know that the recommended practice is for widely
deploying DNSSEC validation in clients. I am assuming that, as DNSSEC
becomes more popular, all clients on the Internet will eventually become
interested in receiving DNSSEC-validated answers to DNS queries;
they'll want this information in order to do everything from trusting an
SSHFP RR to confirming an HTTPS server's TLS certificate in DNS using a
yet-to-be-defined protocol. I am further assuming that no sane client
would want to trust the AD bit in a DNS response received from a remote
caching resolver, since the response could have been modified in transit
and since the remote caching resolver is often untrusted anyway (e.g.
ISP's server). Therefore client hosts have to do the DNSSEC validation

There are plenty of HOWTOs to be found that tell you how to install
unbound on your local station and get DNSSEC validation for yourself.
This gets the job done, of course, but can the Internet afford for
everyone to do that? Can the Internet afford for OS vendors to begin
shipping configurations with local caching resolvers on every PC?

Right now the root and TLD servers can expect to receive on the order
or one query per TTL interval per domain served from each caching
resolver out there. If end users stop using ISP-provided caching
resolvers and do recursive resolution themselves, I imagine that
would represent at least a hundredfold, probably many thousandfold
increase to the query load of those servers. Am I missing something?

I thought that, instead of this, end user computers should run
software that performs recursive resolution by itself (including
DNSSEC validation) yet still uses upstream servers, as caches only
(queries to upstream servers with RD bit clear). Does such software
exist? I didn't find it. Or am I thinking along the wrong lines?


More information about the dns-operations mailing list