[dns-operations] Research Project: Identifying DNSSEC Validators

Mark Andrews marka at isc.org
Fri Sep 7 22:40:09 UTC 2012


In message <20120907071041.GA1905 at nic.fr>, Stephane Bortzmeyer writes:
> On Thu, Sep 06, 2012 at 10:43:12AM -0700,
>  Wessels, Duane <dwessels at verisign.com> wrote 
>  a message of 39 lines which said:
> 
> > I wouldn't say our setup assumes only one recursive in the path,
> 
> >From my colleague Kim Minh Kaplan:
> 
> In the case where one of the forwarders is non validating, it will
> happily accept and cache the non signed response. When the local
> validating resolver retries its query to the non validating forwarder,
> the forwarder can reply with the cached, non signed answer.

And is a perfect example of why CD=1 always is *wrong* as it disables
validation in the forwarder.

> My understanding is that many dnssec-trigger users will be in such a
> setup.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list