Force Bind caching resolver to always obey DNSSSEC

Phil Mayers p.mayers at imperial.ac.uk
Sat Oct 2 09:33:31 UTC 2010


On 10/02/2010 10:01 AM, lst_hoe02 at kwsoft.de wrote:

> So the problem are not resolvers unaware of DNSSEC but resolvers with
> inappropriate defaults or configured wrong by accident. Additionally
> this problem is not easy detectable as it can occur far downstream. So
> i would say it is a valid concern for network operators to make it
> possibe to force obeying DNSSEC at the border.

The problem is that if, as some people expect, DNSSEC resolution 
eventually gets pushed down into "thick" client resolvers, then these 
resolvers need a way to tell the upstream cache "just cache, don't check".

This, as well as debugging, is what +cd is for (see 3.2.2. of RFC 4033).

Any "ignore +cd" config would have to be I think quite complex to avoid 
breaking this paradigm - probably an ACL.

I understand why you want this, but enabling such a feature (if it 
existed, which it doesn't) could have adverse effects too.



More information about the bind-users mailing list