Value of a DNSSEC validating resolver

Sun Dec 3 02:45:32 UTC 2023

Clients need to send both cd=0 and cd=1 queries. The two types of queries address different failure scenarios. 

I tried hard to prevent the stupid just send cd=1 advice before it was published.  Years before there was a wish to reduce the amount of work a validating resolver does. There was bad advice from that and the WG chair refused to reopen the issue. 

CD=1 addresses bad clocks and trust anchors in resolvers. CD=0 addresses bad authoritative servers and spoofed responses.  You can start with either and try the other when validation fails. 

-- 
Mark Andrews

> On 3 Dec 2023, at 12:31, Crist Clark <cjc+bind-users at pumpky.net> wrote:
> 
> 
> Preface: Please don’t read any judgement of DNSSEC’s value into this question. Just looking for the opportunity to understand DNSSEC better from some world-class experts if any care to respond.
> 
> When a client (or any DNS-speaker) is doing validation, doesn’t it set CD on queries through a forwarder? In that sense, the intermediate servers do not filter “bad answers.” Or is my understanding incorrect? Or do you mean the data that the forwarder is using internally has been filtered of bad answers?
> 
> 
>> On Fri, Dec 1, 2023 at 1:40 PM Mark Andrews <marka at isc.org> wrote:
>> A validating resolver is a prerequisite for validating clients to work. Clients don’t have direct access to the authoritative servers so the can’t retrieve good answers if the recursive servers don’t filter out the bad answers.
>> 
>> Think of a recursive server as a town water treatment plant. You could filter and treat at every house and sometimes you still do like boiling water for baby formula but on the most part what you get out of it is good enough for consumption as is. 
>> 
>> 
>> -- 
>> Mark Andrews
>> 
>>>> On 2 Dec 2023, at 08:14, John Thurston <john.thurston at alaska.gov> wrote:
>>>> 
>>> 
>>> At first glance, the concept of a validating resolver seemed like a good idea. But in practice, it is turning out to be a hassle.
>>> 
>>> I'm starting to think, "If my clients want their answers validated, they should do it." If they *really* care about the quality of the answers they get, why should my clients be trusting *me* to validate them?
>>> 
>>> Can someone make a good case to me for continuing to perform DNSSEC validation on my central resolvers?
>>> 
>>> -- 
>>> --
>>> Do things because you should, not just because you can. 
>>> 
>>> John Thurston    907-465-8591
>>> John.Thurston at alaska.gov
>>> Department of Administration
>>> State of Alaska
>>> -- 
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>> 
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> -- 
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231203/f031d412/attachment-0001.htm>