[dns-operations] security-aware stub resolver

Edward Lewis Ed.Lewis at neustar.biz
Thu May 22 18:46:07 UTC 2008

At 14:25 -0400 5/22/08, Joe Abley wrote:

>I had assumed that the "DNSSEC deployed" world would involve stub
>resolvers setting RD=1 and DO=1, and validators setting DO=1, and
>authority-only servers serving up security information. You seem to be
>saying that the final utopia in your mind looks different.

I assume that stubs would not rely on DO=1, but look for AD=1 and use 
message security (TSIG or VPN or ...).  A stub should not need to get 
the DNSSEC records.

Validators need DO=1 and CD=1.

That's assuming the normal case. A stub with CD=1 probably would only 
be doing that in a debug mode.  And off-hand I forget the settings 
for SERVFAIL, etc.
Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list