[dns-operations] Cloudflare DNS resolver ( Weird DNSSEC race condition

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Mon Aug 6 11:42:06 UTC 2018

On 08/06/2018 12:44 PM, Shane Kerr wrote:
>> The main motivation is that some insecure zones/name servers break
>> horribly when they receive a query with DO=1, and we did not want to
>> clutter code with even more workarounds for this particular type of
>> brokenness.
> I wasn't aware of this feature but it seems pretty cool to me.
> It also should result in smaller packets and less CPU load on the
> authoritative side for insecure zones, so really it seems like it
> should have been the behavior from the beginning. (A large TLD
> operator mentioned this to me like 10 years ago...)

This feature has downsides: the resolver's clients may want a different
set of trust anchors, e.g. if it acts as a forwarder.


More information about the dns-operations mailing list