[dns-operations] The perils of retroactive DNSSEC validation
drc at virtualized.org
Fri Nov 14 22:05:49 UTC 2008
Just a clarification:
On Nov 14, 2008, at 1:21 PM, Edward Lewis wrote:
>> DO has nothing to do with validation.
> DNSSEC OK bit - it's meant to be set when the querier has a trust
> anchor for a domain in which the QNAME sits.
Well, it _was_ meant to do that, but because I used unfortunate
wording, implementors interpreted the RFC differently. BIND (for
example) sets DO by default, even if trust anchors haven't been
configured or the two configuration options to turn on DNSSEC have
DO must now be interpreted to mean the validator supports DNSSEC-
related RRs, not that it is going to do anything useful with them.
More information about the dns-operations