Force Bind caching resolver to always obey DNSSSEC
Phil Mayers
p.mayers at imperial.ac.uk
Sat Oct 2 09:33:31 UTC 2010
On 10/02/2010 10:01 AM, lst_hoe02 at kwsoft.de wrote:
> So the problem are not resolvers unaware of DNSSEC but resolvers with
> inappropriate defaults or configured wrong by accident. Additionally
> this problem is not easy detectable as it can occur far downstream. So
> i would say it is a valid concern for network operators to make it
> possibe to force obeying DNSSEC at the border.
The problem is that if, as some people expect, DNSSEC resolution
eventually gets pushed down into "thick" client resolvers, then these
resolvers need a way to tell the upstream cache "just cache, don't check".
This, as well as debugging, is what +cd is for (see 3.2.2. of RFC 4033).
Any "ignore +cd" config would have to be I think quite complex to avoid
breaking this paradigm - probably an ACL.
I understand why you want this, but enabling such a feature (if it
existed, which it doesn't) could have adverse effects too.
More information about the bind-users
mailing list