disable dnssec in bind resolver

[Paul Vixie]

Doug Barton <dougb at dougbarton.us> writes:

> I have a guess at why ISC would want to enable it by default, and even in
> the presence of an option to turn it off I'm still Ok with that default.
> But if it's not a standards requirement to have it on, giving the admin a
> choice would be a welcome thing.

this was, as you pointed out, a controversial decision. BIND implements the
"DO" bit as "this requestor will not vomit or crash if you include DNSSEC
metadata in the response". we believe that this supports the eventual goal
of near-universal DNSSEC deployment, in which it's foolish to treat "DO" as
"this requestor is explicitly interested in DNSSEC metadata on this answer".

the earlier we face the UDP fragmentation pain, the smaller that pain will
have been by the time we overcome it. same thing for validator bugs, zone
signing/resigning errors/expirations, and everything else that makes "always
set DO" seem unattractive today, to today's sysadmins, who aren't involved
in any DNSSEC deployment crusade and don't appreciate being co-opted for it.

unless a new IETF RFC comes along and disambiguates the meaning of "DO" such
that it's only to be set if the requestor thinks it has a reasonable shot at
validating the resulting metadata, i expect BIND to keep setting "DO" on all
EDNS requests it generates. and i don't think you can make a _public benefit_
argument that this is wrong even though there are _private benefit_ arguments.
-- 
Paul Vixie
KI6YSY