Clients need to send both cd=0 and cd=1 queries. The two types of queries address different failure scenarios.
I tried hard to prevent the stupid just send cd=1 advice before it was published. Years before there was a wish to reduce the amount of work a validating resolver does. There was bad advice from that and the WG chair refused to reopen the issue. CD=1 addresses bad clocks and trust anchors in resolvers. CD=0 addresses bad authoritative servers and spoofed responses. You can start with either and try the other when validation fails. -- Mark Andrews > On 3 Dec 2023, at 12:31, Crist Clark <cjc+bind-us...@pumpky.net> wrote: > > > Preface: Please don’t read any judgement of DNSSEC’s value into this > question. Just looking for the opportunity to understand DNSSEC better from > some world-class experts if any care to respond. > > When a client (or any DNS-speaker) is doing validation, doesn’t it set CD on > queries through a forwarder? In that sense, the intermediate servers do not > filter “bad answers.” Or is my understanding incorrect? Or do you mean the > data that the forwarder is using internally has been filtered of bad answers? > > >> On Fri, Dec 1, 2023 at 1:40 PM Mark Andrews <ma...@isc.org> wrote: >> A validating resolver is a prerequisite for validating clients to work. >> Clients don’t have direct access to the authoritative servers so the can’t >> retrieve good answers if the recursive servers don’t filter out the bad >> answers. >> >> Think of a recursive server as a town water treatment plant. You could >> filter and treat at every house and sometimes you still do like boiling >> water for baby formula but on the most part what you get out of it is good >> enough for consumption as is. >> >> >> -- >> Mark Andrews >> >>>> On 2 Dec 2023, at 08:14, John Thurston <john.thurs...@alaska.gov> wrote: >>>> >>> >>> At first glance, the concept of a validating resolver seemed like a good >>> idea. But in practice, it is turning out to be a hassle. >>> >>> I'm starting to think, "If my clients want their answers validated, they >>> should do it." If they *really* care about the quality of the answers they >>> get, why should my clients be trusting *me* to validate them? >>> >>> Can someone make a good case to me for continuing to perform DNSSEC >>> validation on my central resolvers? >>> >>> -- >>> -- >>> Do things because you should, not just because you can. >>> >>> John Thurston 907-465-8591 >>> john.thurs...@alaska.gov >>> Department of Administration >>> State of Alaska >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >>> this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >> this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
