Unsupported DNSSEC algorithms should not lead to SERVFAIL.
Richard Laager
rlaager at wiktel.com
Mon Nov 3 22:22:34 UTC 2025
On 2025-10-30 12:21, Kelsey Cummings wrote:
> in a service provider context, our job is to do our best to resolve
> DNS as quickly and as well as possible for our customers. If google
> and cloudflare resolve the domains and we can't, the customer does not
> care in the slightest why, only that they're not able to get to their
> work, school or other public resource. This just results in them
> migrating away from our recursive clusters to these public resources
> for good.
I wanted to second this sentiment.
I have run into multiple issues where BIND fails to resolve things that
the public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) resolve just fine. The
answer each time has been that the authoritative side is doing DNS
wrong. And, in each case, I ultimately agree with the BIND developers
that the authoritative side is wrong. However, that simply does not
matter to my customers. If they can resolve the name everywhere else,
then they view me as the problem. And when other resolvers resolve it
just fine, it's hard to get the authoritative side to care either. I'm
just one little ISP in the middle of nowhere.
Granted, I understand that BIND is open source and you have no
obligation to me.
--
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20251103/ab8bfd9e/attachment.htm>
More information about the bind-users
mailing list