[Dnssec-deployment] Fetching the RRSIGs can be a problem too.
vixie at isc.org
Fri Sep 2 03:32:09 EDT 2011
> From: Mark Andrews <marka at isc.org>
> Date: Fri, 02 Sep 2011 10:13:48 +1000
> Just the other day I was sitting in a hotel with "transparent"
> intercepting DNS cache. This was not a issue for DNSSEC validation
> because it was DNSSEC aware and returned the records which allowed
> me to validate the responses. The only thing I need to tweak was
> to set RD=1 on all queries or else the "transparent" intercepting
> DNS cache wouldn't recurse for me.
is this RD=1 fallback something we should enshrine in BIND and/or an RFC?
More information about the Dnssec-deployment