[dns-operations] DNSSEC validating clients that use upstream caching resolvers?

[Stephane Bortzmeyer]

On Sun, Feb 13, 2011 at 11:54:44PM -0500,
 Phil Vandry <vandry at TZoNE.ORG> wrote 
 a message of 41 lines which said:

> This gets the job done, of course, but can the Internet afford for
> everyone to do that? Can the Internet afford for OS vendors to begin
> shipping configurations with local caching resolvers on every PC?

[TLD hat on]

We did not test it yet, so I cannot be sure but remember that root and
TLD servers are often over-provisioned to deal with dDoS so it may
work for them (this a guess, not the conclusion of a serious study).

[TLD hat off]

> I thought that, instead of this, end user computers should run
> software that performs recursive resolution by itself (including
> DNSSEC validation) yet still uses upstream servers, as caches only

This is reasonable and is indeed the normal DNS way.

> Does such software exist?

Any resolver can do it. Just configure it to run with the ISP's name
servers as forwarders. Two possible issues:

1) There is typically nothing on the regular Ubuntu box to change the
lcoal validating resolver's configuration in response to
DHCP. Scripts would need to be modified to change unbound.conf or
named.conf, not resolv.conf as they do now. 

2) The forwarders need to be DNSSEC-enabled (something that the above
script has to test before updating named.conf or unbound.conf). (I
know at least one big ISP in France whose resolvers have different
configurations, some DNSSEC-enabled, not all, even when they are
behind the same IP address.)