[dns-operations] Cloudflare DNS resolver (1.1.1.1): Weird DNSSEC race condition
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Mon Aug 6 11:42:06 UTC 2018
On 08/06/2018 12:44 PM, Shane Kerr wrote:
>> The main motivation is that some insecure zones/name servers break
>> horribly when they receive a query with DO=1, and we did not want to
>> clutter code with even more workarounds for this particular type of
>> brokenness.
> I wasn't aware of this feature but it seems pretty cool to me.
>
> It also should result in smaller packets and less CPU load on the
> authoritative side for insecure zones, so really it seems like it
> should have been the behavior from the beginning. (A large TLD
> operator mentioned this to me like 10 years ago...)
This feature has downsides: the resolver's clients may want a different
set of trust anchors, e.g. if it acts as a forwarder.
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/153
--Vladimir
More information about the dns-operations
mailing list