[dns-operations] security-aware stub resolver
Edward Lewis
Ed.Lewis at neustar.biz
Thu May 22 18:46:07 UTC 2008
At 14:25 -0400 5/22/08, Joe Abley wrote:
>I had assumed that the "DNSSEC deployed" world would involve stub
>resolvers setting RD=1 and DO=1, and validators setting DO=1, and
>authority-only servers serving up security information. You seem to be
>saying that the final utopia in your mind looks different.
I assume that stubs would not rely on DO=1, but look for AD=1 and use
message security (TSIG or VPN or ...). A stub should not need to get
the DNSSEC records.
Validators need DO=1 and CD=1.
That's assuming the normal case. A stub with CD=1 probably would only
be doing that in a debug mode. And off-hand I forget the settings
for SERVFAIL, etc.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Never confuse activity with progress. Activity pays more.
More information about the dns-operations
mailing list