[dns-operations] which breakage is this? FreeBSD.org / systemd-resolved
Philip Homburg
philip.homburg at ripe.net
Sun Nov 1 14:23:14 UTC 2020
On 2020/10/31 2:29 , Mark Andrews wrote:
> Because for DNSSEC to actually work though a forwarder you need to send both CD=0 and CD=1 queries.
>
> Always send CD=1 is broken. I said it at the time. This is noted in the write up on the draft. The working group chairs failed in letting this go through. Logic showing the decision was broken should have trumped misguided wishes to not have intermediate resolvers perform validation. It was never to late to revisit a wrong decision.
RFC 6147 is standard track. Unless there is another standard track RFC
that requires validating resolvers to clear CD, it seems best for
interoperability to send packets with CD=1. I just checked unbound and
it seems to send packets with CD=1.
Of course in the context of DNS64 it is only AAAA queries for which this
matters.
I agree with you that DNS64 is bad. But currently it is a standard track
RFC, and the DNS64 behavior can be disabled by setting CD and DO. So it
is hard to say that it gets in the way of DNSSEC validation.
More information about the dns-operations
mailing list