[dns-operations] DNSSEC validating clients that use upstream caching resolvers?

Phil Vandry vandry at TZoNE.ORG
Mon Feb 14 15:56:44 UTC 2011

On Mon, 14 Feb 2011 09:55:45 +0100 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> > Does such software exist?
> Any resolver can do it. Just configure it to run with the ISP's name
> servers as forwarders. Two possible issues:

I was misled by unbound's documentation. I tested to see what the software
does and you are indeed correct. The passage in unbound's manpage that
misled me was:

      The servers listed as forward-host: and forward-addr: have
      to handle further recursion for the query. Thus, those
      servers are not authority servers, but are (just like unbound
      is) recursive servers too; unbound does not perform recursion
      itself for the forward zone, it lets the remote server do it.

But on rereading, I see that my interpretation was wrong. Just because
it counts on the upstream server to do recursion does NOT mean it doesn't
do DNSSEC validation by itself. Indeed it asks the upstream servers for
all the necessary DNSKEY and DS records and does the validation locally.

Now if only my ISP's servers had DNSSEC enabled I could actually use
that configuration...

> 1) There is typically nothing on the regular Ubuntu box to change the
> lcoal validating resolver's configuration in response to
> DHCP. Scripts would need to be modified to change unbound.conf or
> named.conf, not resolv.conf as they do now. 

...and offer the Ubuntu folks help with those scripts if they are not
already on top of it.

Thanks Stephane for your quick response.


More information about the dns-operations mailing list