[Dnssec-deployment] DNSSEC aware recursive name servers
Matt Thompson
mthompson at hexwave.com
Sun Aug 7 14:09:43 EDT 2011
On 8/7/11 12:03 PM, Paul Vixie wrote:
>> The problem with DNSSEC that nobody has been able to answer is that
>> without a policy that says "I *require* DNSSEC validation for
>> mybank.com" or that every RRset must be signed within a given zone
>> .. what is a recursive to do when it gets a response with *NO* RRSIG
>> or DS? Without breaking everything, it is going to pass along the
>> response without validation. Unless I'm wrong I think this issue needs
>> to be addressed first.
> if there's supposed to be an RRSIG or DS you'll know it before you ask
> and you'll know, if you don't get one, that you're getting spoofed. that
> part is well covered.
So what's the mechanism for knowing that "there's supposed to be"?
That's exactly my point. How do I know before i ask? Agreed that it's
covered IF you know that there's supposed to be RRSIG or DS records.
Cheers,
Matt
More information about the Dnssec-deployment
mailing list