[dnssec-deployment] DNSSEC deployment hurdles
Paul Wouters
paul at xelerance.com
Sun Aug 30 22:12:12 EDT 2009
On Mon, 31 Aug 2009, Mark Andrews wrote:
>> I assume it only does this when it is aware there is no signed parent or DLV
>> or when dnssec validation has not been enabled through the configuration file.
>> (though i think in the latter case it also no longer sets do=1)
>
> Unless the QNAME matches a trush anchor's name, or you have explictly
> stated that part of the namespace is secure, you can't know if the
> answer to a particular query should be signed or not without rumaging
Okay, so if we have a trusted key for tld. containing a DS for sub.tld.
and we're sending queries to the nameservers of sub.tld. using do=1,
we won't drop them and go without do=1. That's what I thought, but I
wanted to make it clear, as Bert's explained do=1 removal did not make
that clear when he said bind would drop do=1 in certain cases.
I also thought bind no longer used do=1 when there was no need for it.
Wasn't that the "DSL routers are broken" bug that was hit in Sweden?
Paul
More information about the Dnssec-deployment
mailing list