[dnssec-deployment] Deploying DNSSec root in productive enviroment
Peter Koch
pk at DENIC.DE
Tue Apr 17 11:19:42 EDT 2007
On Tue, Apr 17, 2007 at 08:30:53PM +1000, Mark Andrews wrote:
> The problem is that the com servers are not DS aware. Most
> (all?) of the other tlds have at least one DS aware server.
not sure what kind of awareness you're referring to here. Clearly the
systems in question do not support DS, so they will respond with a referral
instead of a NOERROR/NODATA response. However, the resolver can easily
deduce that DS doesn't (consistently) exist, because the server would have
said so (as long as the referral is really downward, i.e. this is not "just"
a lame delegation).
Strictly speaking, the validator could have stopped when it discovered that the
server didn't support EDNS0 and/or DO, unless it would be interested in an
unsigned DS RR. Maybe we're into draft-ietf-dnsext-dnssec-bis-updates
territory now.
-Peter
More information about the Dnssec-deployment
mailing list