[dnssec-deployment] some observations about .SE's DNSSEC
jakob at rfc.se
Thu Sep 27 02:27:46 EDT 2007
On 27 sep 2007, at 00.41, Mark Andrews wrote:
> As AD is only supposed to be used where you trust the server
> could we use AD itself to signal that we want AD to be set in
> the response when DO is not set.
if you can set AD, why not set DO and just ignore the signatures in
the response? that's how we do it in the stand-alone implementation
of getrrsetbyname() used by OpenSSH-portable.
More information about the Dnssec-deployment