> On 2 Nov 2020, at 05:02, Philip Homburg <[email protected]> wrote: > > On 2020/11/01 17:55 , Andrew Sullivan wrote: >> You basically >> have two choices: do DNSSEC validation on your endpoint and probably >> fail some of the time, > > Can you explain how DNSSEC validation would fail behind DNS64 if all > queries are sent with both DO and CD set?
DNSSEC requires intermediate resolvers to validate to defeat spoofed respones. The validator is supposed to wait for the legitimate response to arrive. If you don’t care about denial of service attacks caused by spoofed traffic then go ahead and always send CD=1. There is no way to make a forwarder to send you *good* answers once it has learn a spoofed answer with CD=1. You need CD=0 and validation by the forwarder to defeat spoofed traffic being sent to the forwarder. You also need CD=0 and validation to recover from an authoritative server with an old version of the zone. CD=1 was designed to allow you to get answer through a forwarder when the forwarder has 1) a bad clock, 2) a bad trust anchor both of which can result in SERVFAIL being returned on what should otherwise be valid responses to the forwarder. Mark > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
