Sparklight and DNSSEC
Petr Špaček
pspacek at isc.org
Mon Sep 26 06:30:15 UTC 2022
On 24. 09. 22 11:20, Bjørn Mork wrote:
> Philip Prindeville <philipp_subx at redfish-solutions.com> writes:
>
>> How many ISP's squelch DNSSEC like that? I hope it's not a common practice!
>
> More common than you'd like to think. See Geoff's excellent world map
> at https://stats.labs.apnic.net/dnssec
>
> Note that no validation implies no signatures for downstream resolvers.
> Which makes the non-validating resolvers useless in a forwarder
> statements, like you discovered. And useless in many other situations
> as well. You can't do DANE for example.
Please allow me to correct this:
named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
signatures (and other metadata) without validating them.
named.conf statement 'dnssec-validation auto;' then enables DNSSEC
validation itself.
In other words, it is possible to allow DNSSEC to work for forwarders
without doing validation itself. If the ISP in question resists enabling
DNSSEC then at least 'dnssec-enabled yes; dnssec-validation no;'
configuration would improve situation for people who care.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list