nanog mailing list archives
Re: trouble with .gov dns?
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 03 May 2011 07:19:21 +0200
* Tony Finch:
Florian Weimer <fw () deneb enyo de> wrote:I have "dnssec-enable no;" in my bind config.It does not seem to have the intended effect.BIND's interpretation of the DO bit is "I understand DNSSEC RRs so it is OK to send them" not "I would like you to send DNSSEC RRs". This is why it always sets the DO bit when it can, i.e. when the request contains an EDNS OPT pseudo-RR.
I would go even further---the DO bit is not about DNSSEC at all. The resolver just promises to ignore any ancillary record sets it does not understand. If DO were about DNSSEC, a new flag would have been introduced along with DNSSECbis, where the record types changed so that for resolvers implementing the older protocol, the DNSSECbis records just looked like garbage.
Current thread:
- trouble with .gov dns? William Herrin (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)
- Re: trouble with .gov dns? William Herrin (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)
- Re: trouble with .gov dns? William Herrin (May 02)
- Re: trouble with .gov dns? Tony Finch (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)
- Re: trouble with .gov dns? David Conrad (May 03)
- Re: trouble with .gov dns? William Herrin (May 03)
- Re: trouble with .gov dns? Florian Weimer (May 03)
- Re: trouble with .gov dns? Edward Lewis (May 03)
- Re: trouble with .gov dns? William Herrin (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)
- Re: trouble with .gov dns? Florian Weimer (May 02)