[dns-operations] Research Project: Identifying DNSSEC Validators
Mark Andrews
marka at isc.org
Fri Sep 7 22:40:09 UTC 2012
In message <20120907071041.GA1905 at nic.fr>, Stephane Bortzmeyer writes:
> On Thu, Sep 06, 2012 at 10:43:12AM -0700,
> Wessels, Duane <dwessels at verisign.com> wrote
> a message of 39 lines which said:
>
> > I wouldn't say our setup assumes only one recursive in the path,
>
> >From my colleague Kim Minh Kaplan:
>
> In the case where one of the forwarders is non validating, it will
> happily accept and cache the non signed response. When the local
> validating resolver retries its query to the non validating forwarder,
> the forwarder can reply with the cached, non signed answer.
And is a perfect example of why CD=1 always is *wrong* as it disables
validation in the forwarder.
> My understanding is that many dnssec-trigger users will be in such a
> setup.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list