recursive lookups for UNSECURE names fail if is unreachable and dnssec-lookaside is 'auto'

Doug Barton dougb at
Wed Aug 27 18:54:50 UTC 2014

On 8/26/14 10:35 AM, Timothe Litt wrote:
> I think this is misleading, or at least poorly worded and subject to
> misinterpretation.

I chose my words carefully, and I stand by them.

I did not say that the DLV has no value, and I specifically mentioned 
that there are circumstances when it is valuable and should be used. You 
clearly have a different view, which is fine.

When it comes to gTLDs, I completely reject the notion that users cannot 
change registrars. It can be hard, no doubt, but it's a cost/benefit 
analysis. If the benefit of DNSSEC outweighs the difficulty of moving, 
then it's worth it. If not, it's not. The fact that it's hard doesn't 
mean it's impossible.

That said, I do recognize that there are situations where a chain of 
trust to the root is not possible (such as some reverse zones). Again, 
this becomes a cost/benefit analysis. For reverse zones if DNSSEC is 
important it may be worth the effort of changing providers, or even 
getting a PI assignment. For TLDs where DNSSEC is not yet available, a 
change may be in order. If enough people vote with their feet in this 
way those providers and TLDs that lose customers may reconsider their 

No one said it would be easy. :)


More information about the bind-users mailing list