[dns-operations] Problems resolving .gov using DLV

Kim Davies kim.davies at icann.org
Mon Mar 16 22:38:57 UTC 2009

On 3/16/09 3:30 PM, "Michael Sinatra" <michael at rancid.berkeley.edu> wrote:
> GOV is signed with a key that DLV supports, but many caching resolvers
> don't.  On the surface that's okay.  If I don't try to add .gov's trust
> anchor, I just treat it as 'insecure' and move on.
> The problem occurs with .gov's key gets put in the DLV.  Now my caching
> resolver feels that it MUST trust this key, but it doesn't support the
> algorithm.  Hence gov == SERVFAIL.

For what its worth, we had similar feedback regarding the ITAR. We modified
the tool used to generate BIND configurations by adding a "--skip-nsec3"
flag that allows administrators using BIND 9.5 to suppress these trust
anchors as a temporary measure.


More information about the dns-operations mailing list