So in summary...
A whole lot of people in NZ are already doing DNSSEC validation on
their resolvers and not finding that it generates any significant
problems.
Google is doing it on their public resolver and they would certainly
notice broken behaviour if it was at all significant.
I'd like to look to moving this topic into a statement saying "Best
Current Operational Practice in New Zealand is to deploy your caching
resolvers to do DNSSEC validation."
Given that I agreed at the conference to do a bit of this BCOP stuff
that seems to be a useful start. And we can then write a useful
document for the ISOC BCOP programme.
Disagreements welcome, but in light of the weight of positive feedback
we've seen, that disagreement had better come with something more
concrete than "I'm afraid that there might be a theoretical
possibility that ...." =)
On Thu, Feb 13, 2014 at 2:58 PM, Mark Goldfinch
On 11 February 2014 14:37, Pete Mundy
wrote: Straight after the conference, I enabled validation on a resolver that handles in excess of 2 million queries/day.
So far I have no negative impact to report either :)
I support Andy & Dean's comments. Just turn it on already!
Our experience matches too, our two recursive resolvers combined have a similar load to that of Pete's.
We've been running recursive resolvers in excess of 6 months now. Our audience is mostly hosted servers and VMs who don't tend to complain about inability to view cat pictures, we have not had problems with resolver service.
+1 for DNSSEC enabled resolvers!
Thanks, --
Mark Goldfinch | Systems Team Leader
MODICA GROUP
nz: +64 4 498 6000
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog