nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: US government mandates? use of DNSSEC by federal agencies

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Wed, 27 Aug 2008 13:13:42 -0400
On Wed, 27 Aug 2008 09:53:26 -0700
"Kevin Oberman" <oberman () es net> wrote:



So the question I have is... will operators (ISP, etc) turn on
DNSsec checking? Or a more basic question of whether you even
_could_ turn on checking if you were so inclined?


As far as I can see, at least with bind-9.5, operators would have to
turn it off. It looks to me like dnssec-validation defaults to on. It
also appears that bind-9.4 defaults to 'off'. 


Right.  The real questions are the clients and the trust anchor -- what
root key do you support?


                --Steve Bellovin, http://www.cs.columbia.edu/~smb
Previous By Date Next
Previous By Thread Next

Current thread: