[dns-operations] 答复: 答复: DNS forwarder behavior on response with cname

'Stephane Bortzmeyer' bortzmeyer at nic.fr
Fri Dec 14 12:23:31 UTC 2018

On Thu, Dec 13, 2018 at 05:29:47PM +0800,
 Davey Song <ljsong at biigroup.cn> wrote 
 a message of 57 lines which said:

> it requires the upstream resolver to turn on DNSSEC and send DO bit
> as well. If the upstream resolver is not a validating resolver,

Be careful: sending the DO bit and validating are two different
things. IMHO, for the first (closest from the user) resolver to
validate, there is no need for its upstream resolver to validate. The
DO bit in the upstream is enough.

> It make no sense to choose a non-validating resolver as a upstream
> resolver when you want your forwarder to validate.

This is false: the upstream resolver just has to be DNSSEC-enabled,
not DNSSEC-validating.

The rest of your message should be clarified, by taking into account
that sending-DO ≠ validating.

More information about the dns-operations mailing list