[dns-operations] which breakage is this? FreeBSD.org / systemd-resolved

Mark Andrews marka at isc.org
Mon Nov 2 01:53:30 UTC 2020

> On 2 Nov 2020, at 05:02, Philip Homburg <philip.homburg at ripe.net> wrote:
> On 2020/11/01 17:55 , Andrew Sullivan wrote:
>> You basically
>> have two choices: do DNSSEC validation on your endpoint and probably
>> fail some of the time, 
> Can you explain how DNSSEC validation would fail behind DNS64 if all
> queries are sent with both DO and CD set?

DNSSEC requires intermediate resolvers to validate to defeat spoofed
respones.  The validator is supposed to wait for the legitimate response
to arrive.  If you don’t care about denial of service attacks caused
by spoofed traffic then go ahead and always send CD=1.  There is no way
to make a forwarder to send you *good* answers once it has learn a spoofed
answer with CD=1.  You need CD=0 and validation by the forwarder to defeat
spoofed traffic being sent to the forwarder.  You also need CD=0 and
validation to recover from an authoritative server with an old version
of the zone.

CD=1 was designed to allow you to get answer through a forwarder when
the forwarder has 1) a bad clock, 2) a bad trust anchor both of which can
result in SERVFAIL being returned on what should otherwise be valid
responses to the forwarder.


> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list