Maintained by: NLnet Labs

[Unbound-users] Google Public DNS

Ondřej Surý
Wed Mar 20 08:22:58 CET 2013


The question to answer is: How many stub resolver do set DO/AD flag or eve allow to set it? So this doesn't make much sense to me to implement in Unbound too, since I consider this practically useless.

Ondřej Surý

On 20. 3. 2013, at 7:49, "Marco Davids (SIDN)" <marco.davids at sidn.nl> wrote:

> Hi,
> 
> I suppose many of us read Google's announcement yesterday:
> 
>   http://googleonlinesecurity.blogspot.nl/2013/03/google-public-dns-now-supports-dnssec.html
> 
> Now, Google Public DNS only validates when either the DO-bit or, according to RFC6840, the AD-bit is set in the query.
> 
>   https://developers.google.com/speed/public-dns/faq#dnssec
> 
> Validation upon request, instead of ignoring validation by means of the CD-bit, so to speak.
> 
> In a way, I kind of like the idea. As for some environments -such as the one at Google- it might (for now) be a good alternative.It sort of adheres to the idea; "everything stays the same, unless you want it to be different" (which at the same time may be considered as undesirable...).
> 
> Anyway...
> 
> I was wondering what the opinions are on this list, regarding the design-choices of Google. And if this feature is being considered for Unbound (in addition to the already present ' val-permissive' mode)?
> 
> Regards,
> --
> Marco
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130320/03654d72/attachment.html>