So in summary... A whole lot of people in NZ are already doing DNSSEC validation on their resolvers and not finding that it generates any significant problems. Google is doing it on their public resolver and they would certainly notice broken behaviour if it was at all significant. I'd like to look to moving this topic into a statement saying "Best Current Operational Practice in New Zealand is to deploy your caching resolvers to do DNSSEC validation." Given that I agreed at the conference to do a bit of this BCOP stuff that seems to be a useful start. And we can then write a useful document for the ISOC BCOP programme. Disagreements welcome, but in light of the weight of positive feedback we've seen, that disagreement had better come with something more concrete than "I'm afraid that there might be a theoretical possibility that ...." =) On Thu, Feb 13, 2014 at 2:58 PM, Mark Goldfinch wrote:

On 11 February 2014 14:37, Pete Mundy wrote:

...

Straight after the conference, I enabled validation on a resolver that handles in excess of 2 million queries/day.

So far I have no negative impact to report either :)

I support Andy & Dean's comments. Just turn it on already!

Our experience matches too, our two recursive resolvers combined have a similar load to that of Pete's.

We've been running recursive resolvers in excess of 6 months now. Our audience is mostly hosted servers and VMs who don't tend to complain about inability to view cat pictures, we have not had problems with resolver service.

+1 for DNSSEC enabled resolvers!

Thanks, --

Mark Goldfinch | Systems Team Leader

MODICA GROUP

nz: +64 4 498 6000

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog