[dns-operations] BIND version and NSEC3

Jaap Akkerhuis jaap at NLnetLabs.nl
Fri May 15 20:30:40 UTC 2009

Hi Ed,
    Well, I thought the same.  But I am interested in what roadblocks 
    there are to DNSSEC deployment.
    One thing I've noted - delegation-only.  Another case of mucking with 
    the protocol that has come back to haunt us. ;)  What were once 
    "delegation-only" zones are proving not to be thanks to the DS 
    resource record.  That I think is salient.

(Had to look up "salient", but yes) I do agree. As some people know
I once had the idea to stamp out the use of delegation-only as much
as possible. However, by the time root-delegation-only got added I
realized that that battle was lost before it started.

Anyway, this observation explains why other validating reolvers
didn't reported this problem since they don;t do the delegation-oly
(or similar) thing.


More information about the dns-operations mailing list