disable dnssec in bind resolver
Paul Vixie
vixie at isc.org
Sat Jun 5 04:58:57 UTC 2010
Doug Barton <dougb at dougbarton.us> writes:
> On 06/04/10 19:40, Paul Vixie wrote:
>> ...
>>
>> unless a new IETF RFC comes along and disambiguates the meaning of "DO"
>> such that it's only to be set if the requestor thinks it has a
>> reasonable shot at validating the resulting metadata, i expect BIND to
>> keep setting "DO" on all EDNS requests it generates. and i don't think
>> you can make a _public benefit_ argument that this is wrong even though
>> there are _private benefit_ arguments.
>
> ...
>
> With my business hat on though I can see at least 2 possible use cases for
> DO=0. The first being related to this thread, "I can't/won't fix/remove the
> firewall today, I just want my resolver to work."
it works. it's just slower because it has to fall back. this is one of the
reasons we fall back to BUFSIZE=512 before falling all the way back to DNS
(that is, turning EDNS off all together.)
> The hapless user in that spot is either going to use another vendor, or
> go back to the old version of BIND that "works." I know market share
> isn't a _primary_ concern for BIND, but I would argue that the "go back
> to old version" answer to this dilemma is something that we should all be
> concerned about.
that's been *very* rare on this point. ISC is concerned about relevance,
since we don't want to develop stuff that folks don't want to use. that's
*not* happening en masse in this case.
> ...
>
> In all fairness, I don't have any actual clients telling me that DO=1 is
> a problem for them, this is pure speculation on my part; ...
yes, i know that, because i'd see the other side of it if it was going on.
--
Paul Vixie
KI6YSY
More information about the bind-users
mailing list