[dns-operations] we may finally have a dnssec use case ; -) Re: Odd behaviour of DNS queries in PRC (facebook, youtube & twitter)
Matthew Dempsky
matthew at dempsky.org
Fri Mar 26 00:31:40 UTC 2010
On Thu, Mar 25, 2010 at 4:06 PM, Joe Abley <jabley at hopcount.ca> wrote:
> As soon as you replace RRSIGs, validation will fail. For any validator to accept your RRSIGs, you need to be able to control the validators' locally-configured trust anchors.
Validation may fail, but the important consequence is what users do in
response. E.g., as an extreme case, if China started filtering all
queries with the DO bit set, then I'd expect users would largely just
disable DNSSEC in their recursive resolvers.
More information about the dns-operations
mailing list