On Fri, Nov 8, 2019 at 4:37 PM Paul Wouters <[email protected]> wrote: > On Wed, 6 Nov 2019, Paul Hoffman wrote: > > > Given that we are (still supposedly) talking about requirements and not > solutions, I would be unhappy with a requirement that prevents a resolver > that is not validating > > Why would a _resolver_ not be validating ? > > I understand the reasons for web applications that do not want to do > validating, though I disagree with those. But for actual DNS resolvers, > running as DNS caching server on either laptop or in an enterprise, I > see no valid reason why it should not be validating at this point. > > > Any protocol we develop for ADoT capability discovery should prevent > downgrade attacks but should also work fine for resolvers that do not > validate. > > I strongly disagree. Resolvers towards Authoritative servers are core > infrastructure, and that core should have no problems using the latest > DNS RFC's. > > Paul >
I hate to admit it, and this is a little off topic, but my resolvers are not (yet) validating. Is there a setting that will attempt to validate, and log if it fails, but still answer the users? I hear that there are occasional sites that fail validation, and would like to know what will break if and when I begin to validate. I will also need to monitor the added load on the servers, although I don't expect it to be a problem. I realize that not everyone agrees with this level of caution/fear/lack-of-backbone (I am sure there are other descriptions people would prefer). -- Bob Harold
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
