[dns-operations] All dual-stack DNS servers - any problem with it?

Paul Vixie paul at vix.com
Wed May 16 16:27:26 UTC 2007

> You can see, that the additional section is not signed, with renders the
> provided glue almost useless: we have to requery the glue from the root
> server, but do not get it signed!

no, you do not have to requery anything.  read the rfc's.

> All we can get is a signed DS-record, and have to check the trust chain
> ourself.


> If we limit the DNS size to 512 bytes, the results are frustrating: Every
> possible response is truncated, because the RRSIG is too long.

dnssec requires edns.

More information about the dns-operations mailing list