Re: [dnsext] caches, validating resolvers, CD and DO

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Thu, 31 March 2011 14:26 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D10283A6AD7 for <>; Thu, 31 Mar 2011 07:26:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mk-ReYSn-F51 for <>; Thu, 31 Mar 2011 07:26:04 -0700 (PDT)
Received: from taffy.ICSI.Berkeley.EDU (taffy.ICSI.Berkeley.EDU []) by (Postfix) with ESMTP id 053BA3A6A92 for <>; Thu, 31 Mar 2011 07:26:04 -0700 (PDT)
Received: from ( []) (Authenticated sender: nweaver) by taffy.ICSI.Berkeley.EDU (Postfix) with ESMTP id DCE5736A367; Thu, 31 Mar 2011 07:27:43 -0700 (PDT)
References: <> <0CAE569785C163CFE87B957E@nimrod.local> <> <> <> <005301cbeedc$e9653150$bc2f93f0$> <> <> <F50154E3-1D42-4791-B8F1-E04B3B7F85C5@ICSI.Berkeley.EDU> <>
In-Reply-To: <>
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <AC2624E2-F035-4B58-9082-CFEEC91B7F2C@ICSI.Berkeley.EDU>
Content-Transfer-Encoding: quoted-printable
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Date: Thu, 31 Mar 2011 07:27:42 -0700
To: Derek Atkins <>
X-Mailer: Apple Mail (2.1084)
Cc: Marc Lampo <>, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>,
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Mar 2011 14:26:04 -0000

>> Until they strip DNSSEC information.  You MUST validate locally....
> I disagree.  I run a local network in my house and run local caching
> recursive resolvers.  I have all my hosts on my network resolve through
> my local caches.  I run all my machines, therefore I trust my cache.  I
> see no reason to *require* all my machines to bypass the local cache.
> Moreover, in my case I see no reason to require all my machines to
> perform local validation.  I trust myself.
> Therefore, calling it a MUST is wrong.
>> You want the end client to have its own policy on what to do on DNSSEC
>> failure, not be dependent on the resolver's policy, and thus
>> validating clients really should use CD with every request.
> I agree in principle, however that policy can also be "trust the caching
> recursive resolver."  Saying that the client MUST validate does not
> allow for this trusting policy.
> -derek

Good point, however, the default policy should still be a must, since your configuration is rather unusual:  DNSSEC enables DNS to not trust the recursive resolver, and the default policy should take advantage of this.

Defaults should provide maximum safety and maximum interoperability for the majority of the clients.