[dns-operations] The possible problems after May 5th
marka at isc.org
Fri Apr 9 12:21:50 UTC 2010
In message <20100409113503.GI12586 at macbook.catpipe.net>, Phil Regnauld writes:
> Matthew Dempsky (matthew) writes:
> > Why? How does the root zone being signed affect TCP requirements for
> > non-root name servers?
> BIND sets DO on upstream requests even when the client doesn't.
> So, even if your caching server doesn't ask for DNSSEC data,
> if it's downstream of BIND (this may not be the only implementation
> doing this), you can run into issues.
> "In those circumstances the root servers may send back additional DNSSEC
> records which may cause problems in the unlikely event that you've got broken
> network gear and/or misconfigured firewalls in the path."
Which doesn't answer the query.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations