Re: Jessie release goal: DNSSEC as default recursive resolver
Wouter Verhelst writes ("Re: Jessie release goal: DNSSEC as default recursive resolver"):
> There is nothing in DNSSEC which makes it inherently incompatible with
> using DNS forwarders. Talking to the root DNS servers is fun and all,
> but there's really no good reason why you shouldn't use the large DNS
> cache on your ISP's recursive DNS server.
I'm afraid this is not true. The way DNSSEC is designed means that
you can't "tunnel" the DNSSEC data through a forwarding nameserver
which doesn't itself understand DNSSEC at least to a minimal extent.
If your local forwarder doesn't do this, which is quite likely, you
have to fall back to the global infrastructure - and hope it's not
blocked or intercepted.
> Now, if your local DNS server ignores requests for RRSIG records, or
> sabotages DNSSEC in other ways, it might make sense to try to bypass
> them, possibly by running a local caching DNS server. But that should
> not be the first thing to do.
IIRC one of the ways that DNSSEC breaks naive forwarders is that its
rules for what constitutes an RRset are different to normal. It's a
while since I looked at this but I could go and look at the RFCs
again...
Ian.
Reply to: