On 06/04/10 19:40, Paul Vixie wrote:
Doug Barton<do...@dougbarton.us> writes:
I have a guess at why ISC would want to enable it by default, and even in
the presence of an option to turn it off I'm still Ok with that default.
But if it's not a standards requirement to have it on, giving the admin a
choice would be a welcome thing.
this was, as you pointed out, a controversial decision. BIND implements the
"DO" bit as "this requestor will not vomit or crash if you include DNSSEC
metadata in the response". we believe that this supports the eventual goal
of near-universal DNSSEC deployment, in which it's foolish to treat "DO" as
"this requestor is explicitly interested in DNSSEC metadata on this answer".
the earlier we face the UDP fragmentation pain, the smaller that pain will
have been by the time we overcome it. same thing for validator bugs, zone
signing/resigning errors/expirations, and everything else that makes "always
set DO" seem unattractive today, to today's sysadmins, who aren't involved
in any DNSSEC deployment crusade and don't appreciate being co-opted for it.
unless a new IETF RFC comes along and disambiguates the meaning of "DO" such
that it's only to be set if the requestor thinks it has a reasonable shot at
validating the resulting metadata, i expect BIND to keep setting "DO" on all
EDNS requests it generates. and i don't think you can make a _public benefit_
argument that this is wrong even though there are _private benefit_ arguments.
Ok, so my guess as to ISC's motivations was pretty much on the mark, and
speaking with my "Guy who loves the Internet and wants to see things
work better for everybody" hat on, I am totally in agreement. That's why
I said I would have no problem with a theoretical DO knob defaulting to
"On."
With my business hat on though I can see at least 2 possible use cases
for DO=0. The first being related to this thread, "I can't/won't
fix/remove the firewall today, I just want my resolver to work." The
hapless user in that spot is either going to use another vendor, or go
back to the old version of BIND that "works." I know market share isn't
a _primary_ concern for BIND, but I would argue that the "go back to old
version" answer to this dilemma is something that we should all be
concerned about.
The other use case that leaps immediately to mind is "We do 42
scintillion DNS queries per second and our bandwidth cost has tripled in
the last 3 months! What in the name of J. Jonah Jameson is going on
around here?!?"
In all fairness, I don't have any actual clients telling me that DO=1 is
a problem for them, this is pure speculation on my part; although it's
speculation with a reasonable amount of experience behind it. In the
face of an actual client having actual DO=1 problems I would of course
encourage them to fix the underlying issue (and of course, to enable
DNSSEC). :) But if they can't/won't/etc ....
Doug (you kids with your newfangled contraptions, get off my lawn!)
--
... and that's just a little bit of history repeating.
-- Propellerheads
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
