[dnssec-deployment] some observations about .SE's DNSSEC
Mark_Andrews at isc.org
Thu Sep 27 02:47:44 EDT 2007
> On 27 sep 2007, at 00.41, Mark Andrews wrote:
> > As AD is only supposed to be used where you trust the server
> > could we use AD itself to signal that we want AD to be set in
> > the response when DO is not set.
> if you can set AD, why not set DO and just ignore the signatures in
> the response? that's how we do it in the stand-alone implementation
> of getrrsetbyname() used by OpenSSH-portable.
Why ask for more than you need?
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the Dnssec-deployment