Unsupported DNSSEC algorithms should not lead to SERVFAIL.
Kelsey Cummings
kgc at corp.sonic.net
Thu Oct 30 17:21:03 UTC 2025
We think that we got caught by this change as part of our roll out to
9.18.41. The basic gist is, that in a service provider context, our job
is to do our best to resolve DNS as quickly and as well as possible for
our customers. If google and cloudflare resolve the domains and we
can't, the customer does not care in the slightest why, only that
they're not able to get to their work, school or other public resource.
This just results in them migrating away from our recursive clusters to
these public resources for good.
There certainly may be context where the new behavior is justified, but
default or not, we need the ability to enable more relaxed behavior.
"be conservative in what you do, be liberal in what you accept from others"
https://gitlab.isc.org/isc-projects/bind9/-/issues/5570
--
kelsey.cummings at sonic.com sonic.net, inc.
System Architect 2260 Apollo Way
707.522.1000 Santa Rosa, CA
More information about the bind-users
mailing list