> On 9 Feb 2024, at 21:40, Petr Menšík wrote:
>
> Hello Mark,
>
> allow me here to correct your statement. We spent in Red Hat some time
> thinking and testing validating clients. Validating resolver is *not*
> necessary for validating clients to work. They are better and recommended,
>
--
Mark Andrews
> On 10 Feb 2024, at 04:18, Randy Bush wrote:
>
>
>>
>> I admit here we most often work with internal only forwarders, which
>> are not accessible from outer internet. So those won't be under attack
>
> i am always impressed by security optiism
>
> randy
--
Visit
> I admit here we most often work with internal only forwarders, which
> are not accessible from outer internet. So those won't be under attack
i am always impressed by security optiism
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
On 2/9/24 12:39, Mark Andrews wrote:
Do the analysis where the resolver is under attack or the auth server with the
best rtt is stale.
I admit here we most often work with internal only forwarders, which are
not accessible from outer internet. So those won't be under attack, at
least
Do the analysis where the resolver is under attack or the auth server with the
best rtt is stale.
--
Mark Andrews
> On 9 Feb 2024, at 21:40, Petr Menšík wrote:
>
> Hello Mark,
>
> allow me here to correct your statement. We spent in Red Hat some time
> thinking and testing validating
Hello Mark,
allow me here to correct your statement. We spent in Red Hat some time
thinking and testing validating clients. Validating resolver is *not*
necessary for validating clients to work. They are better and
recommended, but not always necessary.
What is required is dnssec (security)
Clients need to send both cd=0 and cd=1 queries. The two types of queries
address different failure scenarios.
I tried hard to prevent the stupid just send cd=1 advice before it was
published. Years before there was a wish to reduce the amount of work a
validating resolver does. There was
Preface: Please don’t read any judgement of DNSSEC’s value into this
question. Just looking for the opportunity to understand DNSSEC better from
some world-class experts if any care to respond.
When a client (or any DNS-speaker) is doing validation, doesn’t it set CD
on queries through a
Hi there,
On Sat, 2 Dec 2023, Mark Andrews wrote:
On Fri, 1 Dec 2023, John Thurston wrote:
> Can someone make a good case to me for continuing to perform DNSSEC
> validation on my central resolvers?
Think of a recursive server as a town water treatment plant. You
could filter and treat at
A validating resolver is a prerequisite for validating clients to work. Clients
don’t have direct access to the authoritative servers so the can’t retrieve
good answers if the recursive servers don’t filter out the bad answers.
Think of a recursive server as a town water treatment plant. You
At first glance, the concept of a validating resolver seemed like a good
idea. But in practice, it is turning out to be a hassle.
I'm starting to think, "If my clients want their answers validated, they
should do it." If they *really* care about the quality of the answers
they get, why should
11 matches
Mail list logo
