[dns-operations] Problems resolving .gov using DLV
Kim Davies
kim.davies at icann.org
Mon Mar 16 22:38:57 UTC 2009
On 3/16/09 3:30 PM, "Michael Sinatra" <michael at rancid.berkeley.edu> wrote:
>
> GOV is signed with a key that DLV supports, but many caching resolvers
> don't. On the surface that's okay. If I don't try to add .gov's trust
> anchor, I just treat it as 'insecure' and move on.
>
> The problem occurs with .gov's key gets put in the DLV. Now my caching
> resolver feels that it MUST trust this key, but it doesn't support the
> algorithm. Hence gov == SERVFAIL.
For what its worth, we had similar feedback regarding the ITAR. We modified
the tool used to generate BIND configurations by adding a "--skip-nsec3"
flag that allows administrators using BIND 9.5 to suppress these trust
anchors as a temporary measure.
kim
More information about the dns-operations
mailing list