disable dnssec in bind resolver

Doug Barton dougb at dougbarton.us
Sat Jun 5 03:32:50 UTC 2010 

On 06/04/10 19:40, Paul Vixie wrote:
> Doug Barton<dougb at dougbarton.us>  writes:
>
>> I have a guess at why ISC would want to enable it by default, and even in
>> the presence of an option to turn it off I'm still Ok with that default.
>> But if it's not a standards requirement to have it on, giving the admin a
>> choice would be a welcome thing.
>
> this was, as you pointed out, a controversial decision. BIND implements the
> "DO" bit as "this requestor will not vomit or crash if you include DNSSEC
> metadata in the response". we believe that this supports the eventual goal
> of near-universal DNSSEC deployment, in which it's foolish to treat "DO" as
> "this requestor is explicitly interested in DNSSEC metadata on this answer".
>
> the earlier we face the UDP fragmentation pain, the smaller that pain will
> have been by the time we overcome it. same thing for validator bugs, zone
> signing/resigning errors/expirations, and everything else that makes "always
> set DO" seem unattractive today, to today's sysadmins, who aren't involved
> in any DNSSEC deployment crusade and don't appreciate being co-opted for it.
>
> unless a new IETF RFC comes along and disambiguates the meaning of "DO" such
> that it's only to be set if the requestor thinks it has a reasonable shot at
> validating the resulting metadata, i expect BIND to keep setting "DO" on all
> EDNS requests it generates. and i don't think you can make a _public benefit_
> argument that this is wrong even though there are _private benefit_ arguments.

Ok, so my guess as to ISC's motivations was pretty much on the mark, and 
speaking with my "Guy who loves the Internet and wants to see things 
work better for everybody" hat on, I am totally in agreement. That's why 
I said I would have no problem with a theoretical DO knob defaulting to 
"On."

With my business hat on though I can see at least 2 possible use cases 
for DO=0. The first being related to this thread, "I can't/won't 
fix/remove the firewall today, I just want my resolver to work." The 
hapless user in that spot is either going to use another vendor, or go 
back to the old version of BIND that "works." I know market share isn't 
a _primary_ concern for BIND, but I would argue that the "go back to old 
version" answer to this dilemma is something that we should all be 
concerned about.

The other use case that leaps immediately to mind is "We do 42 
scintillion DNS queries per second and our bandwidth cost has tripled in 
the last 3 months! What in the name of J. Jonah Jameson is going on 
around here?!?"

In all fairness, I don't have any actual clients telling me that DO=1 is 
a problem for them, this is pure speculation on my part; although it's 
speculation with a reasonable amount of experience behind it. In the 
face of an actual client having actual DO=1 problems I would of course 
encourage them to fix the underlying issue (and of course, to enable 
DNSSEC). :)  But if they can't/won't/etc ....


Doug (you kids with your newfangled contraptions, get off my lawn!)

-- 

	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

More information about the bind-users mailing list