On 2020/10/31 2:29 , Mark Andrews wrote: > Because for DNSSEC to actually work though a forwarder you need to send both > CD=0 and CD=1 queries. > > Always send CD=1 is broken. I said it at the time. This is noted in the > write up on the draft. The working group chairs failed in letting this go > through. Logic showing the decision was broken should have trumped misguided > wishes to not have intermediate resolvers perform validation. It was never > to late to revisit a wrong decision.
RFC 6147 is standard track. Unless there is another standard track RFC that requires validating resolvers to clear CD, it seems best for interoperability to send packets with CD=1. I just checked unbound and it seems to send packets with CD=1. Of course in the context of DNS64 it is only AAAA queries for which this matters. I agree with you that DNS64 is bad. But currently it is a standard track RFC, and the DNS64 behavior can be disabled by setting CD and DO. So it is hard to say that it gets in the way of DNSSEC validation. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
