Hi,
Given that Google's Public DNS recently enabled DNSSEC validation:
http://googleonlinesecurity.blogspot.co.uk/2013/03/google-public-dns-now-su…
it's probably way beyond time to make some serious effort to enable
this at BitFolk.
Unbound is used here for resolvers:
http://unbound.net/
but it doesn't currently have the "validator" part enabled.
Since it is possible that there will be domains out there that have
broken DNSSEC records but nobody yet noticed (a lot less likely now
that Google's DNS validates), I don't think it would be acceptable
to just turn on validation with no notice. We're going to give you
at least 30 days of notice.
Is there anything more that you think should be done?
We could put up a test instance of Unbound with validation enabled
and you could switch to using it, to see if anything breaks. Is that
something that any of you think you would bother with?
On to logging.
Should validation failures be logged on production resolvers? On the
plus side, if you are experiencing one then you could ask us to look
in the logs to see why. On the negative side, it means we'll
casually stumble across records of tons of queries that customers
make, which is a privacy concern.
Note that if you are particularly keen on DNSSEC validation then
there's nothing stopping you installing a DNS resolver on your own
VPS today and using that.
Also that in theory enough diagnostic sites exist out there for you
to not need resolver logs.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting