disable dnssec in bind resolver
Doug Barton
dougb at dougbarton.us
Sat Jun 5 03:32:50 UTC 2010
On 06/04/10 19:40, Paul Vixie wrote:
> Doug Barton<dougb at dougbarton.us> writes:
>
>> I have a guess at why ISC would want to enable it by default, and even in
>> the presence of an option to turn it off I'm still Ok with that default.
>> But if it's not a standards requirement to have it on, giving the admin a
>> choice would be a welcome thing.
>
> this was, as you pointed out, a controversial decision. BIND implements the
> "DO" bit as "this requestor will not vomit or crash if you include DNSSEC
> metadata in the response". we believe that this supports the eventual goal
> of near-universal DNSSEC deployment, in which it's foolish to treat "DO" as
> "this requestor is explicitly interested in DNSSEC metadata on this answer".
>
> the earlier we face the UDP fragmentation pain, the smaller that pain will
> have been by the time we overcome it. same thing for validator bugs, zone
> signing/resigning errors/expirations, and everything else that makes "always
> set DO" seem unattractive today, to today's sysadmins, who aren't involved
> in any DNSSEC deployment crusade and don't appreciate being co-opted for it.
>
> unless a new IETF RFC comes along and disambiguates the meaning of "DO" such
> that it's only to be set if the requestor thinks it has a reasonable shot at
> validating the resulting metadata, i expect BIND to keep setting "DO" on all
> EDNS requests it generates. and i don't think you can make a _public benefit_
> argument that this is wrong even though there are _private benefit_ arguments.
Ok, so my guess as to ISC's motivations was pretty much on the mark, and
speaking with my "Guy who loves the Internet and wants to see things
work better for everybody" hat on, I am totally in agreement. That's why
I said I would have no problem with a theoretical DO knob defaulting to
"On."
With my business hat on though I can see at least 2 possible use cases
for DO=0. The first being related to this thread, "I can't/won't
fix/remove the firewall today, I just want my resolver to work." The
hapless user in that spot is either going to use another vendor, or go
back to the old version of BIND that "works." I know market share isn't
a _primary_ concern for BIND, but I would argue that the "go back to old
version" answer to this dilemma is something that we should all be
concerned about.
The other use case that leaps immediately to mind is "We do 42
scintillion DNS queries per second and our bandwidth cost has tripled in
the last 3 months! What in the name of J. Jonah Jameson is going on
around here?!?"
In all fairness, I don't have any actual clients telling me that DO=1 is
a problem for them, this is pure speculation on my part; although it's
speculation with a reasonable amount of experience behind it. In the
face of an actual client having actual DO=1 problems I would of course
encourage them to fix the underlying issue (and of course, to enable
DNSSEC). :) But if they can't/won't/etc ....
Doug (you kids with your newfangled contraptions, get off my lawn!)
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
More information about the bind-users
mailing list