Preface: Please don’t read any judgement of DNSSEC’s value into this question. Just looking for the opportunity to understand DNSSEC better from some world-class experts if any care to respond.
When a client (or any DNS-speaker) is doing validation, doesn’t it set CD on queries through a forwarder? In that sense, the intermediate servers do not filter “bad answers.” Or is my understanding incorrect? Or do you mean the data that the forwarder is using internally has been filtered of bad answers? On Fri, Dec 1, 2023 at 1:40 PM Mark Andrews <ma...@isc.org> wrote: > A validating resolver is a prerequisite for validating clients to work. > Clients don’t have direct access to the authoritative servers so the can’t > retrieve good answers if the recursive servers don’t filter out the bad > answers. > > Think of a recursive server as a town water treatment plant. You could > filter and treat at every house and sometimes you still do like boiling > water for baby formula but on the most part what you get out of it is good > enough for consumption as is. > > > -- > Mark Andrews > > On 2 Dec 2023, at 08:14, John Thurston <john.thurs...@alaska.gov> wrote: > > > > At first glance, the concept of a validating resolver seemed like a good > idea. But in practice, it is turning out to be a hassle. > > I'm starting to think, "If my clients want their answers validated, they > should do it." If they *really* care about the quality of the answers they > get, why should my clients be trusting *me* to validate them? > > Can someone make a good case to me for continuing to perform DNSSEC > validation on my central resolvers? > > -- > -- > Do things because you should, not just because you can. > > John Thurston 907-465-8591john.thurs...@alaska.gov > Department of Administration > State of Alaska > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
