disable dnssec in bind resolver

Mark Andrews marka at isc.org
Sat Jun 5 14:22:37 UTC 2010 

In message <4C09C562.7030204 at dougbarton.us>, Doug Barton writes:
> 
> Ok, so my guess as to ISC's motivations was pretty much on the mark, and 
> speaking with my "Guy who loves the Internet and wants to see things 
> work better for everybody" hat on, I am totally in agreement. That's why 
> I said I would have no problem with a theoretical DO knob defaulting to 
> "On."
> 
> With my business hat on though I can see at least 2 possible use cases 
> for DO=0. The first being related to this thread, "I can't/won't 
> fix/remove the firewall today, I just want my resolver to work." The 
> hapless user in that spot is either going to use another vendor, or go 
> back to the old version of BIND that "works." I know market share isn't 
> a _primary_ concern for BIND, but I would argue that the "go back to old 
> version" answer to this dilemma is something that we should all be 
> concerned about.

The resolver works.  It figures out that it can't make the new style
queries and falls back to the old style queries.  If the user is really
worried they can turn off EDNS and with that DO.
 
> The other use case that leaps immediately to mind is "We do 42 
> scintillion DNS queries per second and our bandwidth cost has tripled in 
> the last 3 months! What in the name of J. Jonah Jameson is going on 
> around here?!?"

It's still a handful of zones that are signed.  Referrals are a hundred or
so bytes bigger.  Many still fit in 512 bytes.  If your business isn't DNS
then you really won't notice.  If it is DNS then you should be using that
data to verify the answers you are receiving.
 
> In all fairness, I don't have any actual clients telling me that DO=1 is 
> a problem for them, this is pure speculation on my part; although it's 
> speculation with a reasonable amount of experience behind it. In the 
> face of an actual client having actual DO=1 problems I would of course 
> encourage them to fix the underlying issue (and of course, to enable 
> DNSSEC). :)  But if they can't/won't/etc ....
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list