nanog mailing list archives

Re: trouble with .gov dns?

From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 03 May 2011 07:19:21 +0200

* Tony Finch:

Florian Weimer <fw () deneb enyo de> wrote:

I have "dnssec-enable no;" in my bind config.


It does not seem to have the intended effect.


BIND's interpretation of the DO bit is "I understand DNSSEC RRs so
it is OK to send them" not "I would like you to send DNSSEC
RRs". This is why it always sets the DO bit when it can, i.e. when
the request contains an EDNS OPT pseudo-RR.


I would go even further---the DO bit is not about DNSSEC at all.  The
resolver just promises to ignore any ancillary record sets it does not
understand.  If DO were about DNSSEC, a new flag would have been
introduced along with DNSSECbis, where the record types changed so
that for resolvers implementing the older protocol, the DNSSECbis
records just looked like garbage.

Current thread:

trouble with .gov dns? William Herrin (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)
  - Re: trouble with .gov dns? William Herrin (May 02)
    - Re: trouble with .gov dns? Florian Weimer (May 02)
    - Re: trouble with .gov dns? William Herrin (May 02)
    - Re: trouble with .gov dns? Tony Finch (May 02)
    - Re: trouble with .gov dns? Florian Weimer (May 02)
    - Re: trouble with .gov dns? David Conrad (May 03)
    - Re: trouble with .gov dns? William Herrin (May 03)
    - Re: trouble with .gov dns? Florian Weimer (May 03)
    - Re: trouble with .gov dns? Edward Lewis (May 03)
  - Re: trouble with .gov dns? Mark Andrews (May 02)
    - Re: trouble with .gov dns? Florian Weimer (May 02)