[dns-operations] DNSSEC "strict" mode useful?

Carsten Strotmann dnsop at strotmann.de
Wed Aug 27 10:49:29 UTC 2014


Would a DNSSEC "strict" mode in DNS resolver software be useful?

I define DNSSEC "strict" mode as a mode of DNS resolver operation where
only DNSSEC validated data will be returned.

Today the default mode of operation is to return data with AD flag for
validated data, SERVFAIL for validation failures, and data without AD
flag for all insecure data (no DNSSEC trust chain).

A DNS resolver in "strict" mode would never return data without AD flag
to a client. So either data + AD flag or SERVFAIL.


DNSSEC "strict" mode is not to be used for generic DNS name resolution
in the public internet but

* in closed DNS environments with different parties, where by policy all
  DNS must be DNSSEC secured

* for a service in the public Internet where it is known that all DNS
  communication must be DNSSEC secured

Today such a "strict" mode configuration is possible by configuring
explicit trust anchor(s) for every domain to be secured. However this does
not scale. 

In my view it would be useful to have a configuration switch to tell a
DNS resolver to apply DNSSEC "strict" mode to either all DNS requests,
or to DNS requests under a specified domain.

Has this been discussed before? I could only find vsResolver
(http://vsresolver.sf.net) to have a "secure-only" mode, but no full

Best regards

Carsten Strotmann
Email: cas at strotmann.de
Blog: strotmann.de

More information about the dns-operations mailing list