[dns-operations] The possible problems after May 5th
regnauld at nsrc.org
Fri Apr 9 11:35:05 UTC 2010
Matthew Dempsky (matthew) writes:
> Why? How does the root zone being signed affect TCP requirements for
> non-root name servers?
BIND sets DO on upstream requests even when the client doesn't.
So, even if your caching server doesn't ask for DNSSEC data,
if it's downstream of BIND (this may not be the only implementation
doing this), you can run into issues.
"In those circumstances the root servers may send back additional DNSSEC records which may cause problems in the unlikely event that you've got broken network gear and/or misconfigured firewalls in the path."
More information about the dns-operations