[dns-operations] GSLB options?

Paul Vixie vixie at isc.org
Thu Oct 29 05:27:43 UTC 2009


> Date: Wed, 28 Oct 2009 20:01:06 -0700
> From: Michael Sinatra <michael at rancid.berkeley.edu>
> 
> Have any of the GSLB implementations been able to implement DNSSEC or is
> it on the roadmap?  Considering that they selectively return different A
> records for queries and those answers typically have very low ttls, such
> RRs are arguably more susceptible to various cache-poisoning methods.  I
> think Paul has made this point in the past; is anyone doing anything
> about it?

as long as every possible incoherent answer is signed, and the right
signature goes out with any given incoherent answer, all will be well.

david lawrence of akamai gave a brief preso about this at i think IEPG
in i think 2008.  it'll take custom signature general logic and it'll
require mods to the custom dns response logic.  not an impossible task.



More information about the dns-operations mailing list