[dns-operations] non signing Bind & DNSSEC: a note of caution

Michael Graff mgraff at isc.org
Mon Feb 7 20:30:18 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2011-02-07 12:28 PM, Wes Hardaker wrote:
>>>>>> On Mon, 07 Feb 2011 05:22:42 -0600, Michael Graff <mgraff at isc.org> said:
> 
> MG> I also feel a global "don't be smart about anything I give you" switch
> MG> needs to go in, where named will serve whatever it is told, no matter
> MG> how insane it may be with respect to DNSSEC data.
> 
> I'd look at it more generically than that.  Either:

I agree with all your points.

ISC has a reworking of the signing portion of BIND 9 on the road-map for
2011, including a bump in the wire type signer.  It's really just a
matter of funding and people to work on it at this stage.

I'm willing to discuss either of these points if anyone has money or time.

- --Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1QVloACgkQLdqv0r6eD6ZBQwCdH+kpjvpieIRh04NXuPFog/Nr
ahgAn3ujLkOXcvjtiP2uG7rAHdgEupM9
=M5Ee
-----END PGP SIGNATURE-----



More information about the dns-operations mailing list