Are open validating resolvers still relevant today?

For many years, our association has been running a service going by the acronym “ODVR” – Open DNSSEC Validating Resolvers. At times when DNSSEC was just beginning, we thought it was necessary to come up with an alternative to DNS resolvers provided by ISPs who introduced the validation support too slowly. Since then, we have offered a publicly available service that allows validation of domains using DNSSEC security even in those networks whose default DNS resolvers do not support this.

Reducing TTL in the .cz zone

DNS records contain a lot of important data, including the information on how quickly such data becomes obsolete, the so-called TTL (Time To Live). TTL in the DNS indicates for how long the data can be stored on a recursive nameserver (resolver) without it being retrieved from an authoritative nameserver. The lower the TTL, the more frequently resolvers query authoritative nameservers and obtain the most recent data. At the same time, however, a short TTL causes heavier load on nameservers, and if DNS records do not change often, the TTL is usually set to several hours.

DNSSEC has become mainstream

This year’s December 5 made it into the history of Czech Internet security by crossing a significant threshold. From this date, in the registry of .cz domains there are more domains with DNSSEC security than those which lack this protocol extension. Information provided by DNS systems of more than 51% (653,297) of .cz domains can now be authenticated to ensure that it was not spoofed on the way to the user.