[Dnssec-trigger] Is Dnssec-trigger a resolver or a stub-resolver ?

Olafur Gudmundsson ogud at ogud.com
Thu Dec 1 16:17:17 UTC 2011

I have run into another issue, my work DHCP server hands out three DNS 
resolver addresses, the first two are local resolvers the last one is an 
ISP provided DNS resolver, all are DNSSEC validating resolvers.
(I'm told this is common just in case the local resolvers have all 
crashed or lost power).

A standard recursive resolver will randomize which upstream resolvers
it talks to. Most stub-resolvers on the other hand will ask resolvers
in the order provided. Thus in my work case the ISP resolver should
only be asked after both local resolvers have failed to answer.

DNSSEC-Trigger seems to send queries to the 3 resolvers by random, this
is causing a minor interoperability issue due to split-DNS usage
inside the firewall i.e. about 1/3 of the time I get RCODE=3 for
local names that do not exist on the outside.

I'm not sure which behavior DNSSEC-Trigger should follow but
having it behave more like stub-resolver might have fewer
interoperability issues of this kind.

Conversely I can see DNSSEC-Trigger favor resolvers that support DNSSEC
transport and the ISP one might the only one.....


More information about the dnssec-trigger mailing list