[dns-operations] Any known AD=1 intolerant iterative resolvers?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Apr 15 05:31:37 UTC 2020

On Wed, Apr 15, 2020 at 07:23:37AM +0200, Florian Weimer wrote:

> > My instinct is that it is now safe to just always send AD=1 in queries,
> > which would partly resolve the issue, but if that is liable to break
> > lookups via some extant resolvers, then AD=1 would need to be
> > configurable via options in /etc/resolv.conf or similar.
> This approach does not work because you do not know whether the
> recursive resolver merely echoes back the AD bit, or has actually
> performed DNSSEC validation.

That's not the question I'm asking.

> I'm also not sure if the AD bit will be set for local authoritative
> data in the recursive resolver, which did not undergo DNSSEC
> validation.

That's not the question I'm asking.

> So the answer to the question whether you can send AD=1 queries
> without increasing the query failure rate does not really matter
> because Postfix cannot use that anyway.

Well, in practice it can and does, and it works reliably with e.g. BIND,
unbound, ... as the immediate (local) upstream resolver.  If the
upstream resolver is not local, all bets are off anyway and the warranty
is void.

I just need to know whether a stub resolver that does not support DO=1
can safely, by default, send AD=1.

Your points are valid in general, but entirely out of scope in the
supported case, because the forwarder is a modern resolver on the
loopback interface.  But the stub resolver setting AD=1 needs to
not encounter breakage also in the unsupported (for Postfix) cases.


More information about the dns-operations mailing list