<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">A validating resolver is a prerequisite for validating clients to work. Clients don’t have direct access to the authoritative servers so the can’t retrieve good answers if the recursive servers don’t filter out the bad answers.<div><br></div><div>Think of a recursive server as a town water treatment plant. You could filter and treat at every house and sometimes you still do like boiling water for baby formula but on the most part what you get out of it is good enough for consumption as is. <br><div><br><div dir="ltr">-- <div>Mark Andrews</div></div><div dir="ltr"><br><blockquote type="cite">On 2 Dec 2023, at 08:14, John Thurston <john.thurston@alaska.gov> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>At first glance, the concept of a validating resolver seemed like
a good idea. But in practice, it is turning out to be a hassle.</p>
<p>I'm starting to think, "If my clients want their answers
validated, they should do it." If they *really* care about the
quality of the answers they get, why should my clients be trusting
*me* to validate them?</p>
<p>Can someone make a good case to me for continuing to perform
DNSSEC validation on my central resolvers?<br>
</p>
<pre class="moz-signature" cols="72">--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
<a class="moz-txt-link-abbreviated" href="mailto:John.Thurston@alaska.gov">John.Thurston@alaska.gov</a>
Department of Administration
State of Alaska</pre>
<span>-- </span><br><span>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></div></div></body></html>