Maintained by: NLnet Labs

[Unbound-users] Google Public DNS

Marco Davids (SIDN)
Wed Mar 20 07:49:42 CET 2013


Hi,

I suppose many of us read Google's announcement yesterday:

 
http://googleonlinesecurity.blogspot.nl/2013/03/google-public-dns-now-supports-dnssec.html

Now, Google Public DNS only validates when either the DO-bit or,
according to RFC6840, the AD-bit is set in the query.

  https://developers.google.com/speed/public-dns/faq#dnssec

Validation upon request, instead of ignoring validation by means of the
CD-bit, so to speak.

In a way, I kind of like the idea. As for some environments -such as the
one at Google- it might (for now) be a good alternative.It sort of
adheres to the idea; "everything stays the same, unless you want it to
be different" (which at the same time may be considered as undesirable...).

Anyway...

I was wondering what the opinions are on this list, regarding the
design-choices of Google. And if this feature is being considered for
Unbound (in addition to the already present ' val-permissive' mode)?

Regards,
--
Marco

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130320/a7ebe39e/attachment.html>