[dns-operations] Setting DO=1 only if validation is possible
Florian Weimer
fw at deneb.enyo.de
Sun Oct 4 16:27:51 UTC 2009
BIND and Unbound set DO=1 unconditionally.
I took the liberty and tested 68.87.64.154 (one of Comcast's DNSSEC
test servers, <http://www.dnssec.comcast.net/>) to see if it sets DO=1
on upstream queries even if there is an obvious lack of trust anchors
and the client didn't send a DO=1 query. It seems to always set DO=1.
According to Comcast's web page and to fpdns, this host is running
Nominum's recursor.
Does this mean that there are no security-aware, validating DNSSEC
resolvers which set DO=1 only when necessary?
More information about the dns-operations
mailing list