[dns-operations] The possible problems after May 5th

Phil Regnauld regnauld at nsrc.org
Fri Apr 9 11:35:05 UTC 2010

Matthew Dempsky (matthew) writes:
> Why?  How does the root zone being signed affect TCP requirements for
> non-root name servers?

	BIND sets DO on upstream requests even when the client doesn't.
	So, even if your caching server doesn't ask for DNSSEC data,
	if it's downstream of BIND (this may not be the only implementation
	doing this), you can run into issues.


	"In those circumstances the root servers may send back additional DNSSEC records which may cause problems in the unlikely event that you've got broken network gear and/or misconfigured firewalls in the path."


More information about the dns-operations mailing list