[dns-operations] we may finally have a dnssec use case ; -) Re: Odd behaviour of DNS queries in PRC (facebook, youtube & twitter)

Matthew Dempsky matthew at dempsky.org
Fri Mar 26 00:31:40 UTC 2010

On Thu, Mar 25, 2010 at 4:06 PM, Joe Abley <jabley at hopcount.ca> wrote:
> As soon as you replace RRSIGs, validation will fail. For any validator to accept your RRSIGs, you need to be able to control the validators' locally-configured trust anchors.

Validation may fail, but the important consequence is what users do in
response.  E.g., as an extreme case, if China started filtering all
queries with the DO bit set, then I'd expect users would largely just
disable DNSSEC in their recursive resolvers.

More information about the dns-operations mailing list