[Dnssec-deployment] DNSSEC aware recursive name servers

Paul Vixie vixie at isc.org
Mon Aug 8 01:00:02 EDT 2011


> Date: Sun, 07 Aug 2011 13:09:43 -0500
> From: Matt Thompson <mthompson at hexwave.com>
> 
> > if there's supposed to be an RRSIG or DS you'll know it before you ask
> > and you'll know, if you don't get one, that you're getting spoofed.  that
> > part is well covered.
> 
> So what's the mechanism for knowing that "there's supposed to be"? That's
> exactly my point. How do I know before i ask? Agreed that it's covered IF
> you know that there's supposed to be RRSIG or DS records.

this isn't the place to regurgitate the spec.  


More information about the Dnssec-deployment mailing list