[dns-operations] The perils of retroactive DNSSEC validation

David Conrad drc at virtualized.org
Fri Nov 14 22:05:49 UTC 2008


Just a clarification:

On Nov 14, 2008, at 1:21 PM, Edward Lewis wrote:
>> DO has nothing to do with validation.
> DNSSEC OK bit - it's meant to be set when the querier has a trust  
> anchor for a domain in which the QNAME sits.

Well, it _was_ meant to do that, but because I used unfortunate  
wording, implementors interpreted the RFC differently.  BIND (for  
example) sets DO by default, even if trust anchors haven't been  
configured or the two configuration options to turn on DNSSEC have  
been enabled.

DO must now be interpreted to mean the validator supports DNSSEC- 
related RRs, not that it is going to do anything useful with them.


More information about the dns-operations mailing list