[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

trouble with .gov dns?

Subject: trouble with .gov dns?
From: fw at deneb.enyo.de (Florian Weimer)
Date: Tue, 03 May 2011 07:19:21 +0200
In-reply-to: <[email protected]> (Tony Finch's message of "Tue, 3 May 2011 00:47:15 +0100")
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>

* Tony Finch:

> Florian Weimer <fw at deneb.enyo.de> wrote:
>>
>> > I have "dnssec-enable no;" in my bind config.
>>
>> It does not seem to have the intended effect.
>
> BIND's interpretation of the DO bit is "I understand DNSSEC RRs so
> it is OK to send them" not "I would like you to send DNSSEC
> RRs". This is why it always sets the DO bit when it can, i.e. when
> the request contains an EDNS OPT pseudo-RR.

I would go even further---the DO bit is not about DNSSEC at all.  The
resolver just promises to ignore any ancillary record sets it does not
understand.  If DO were about DNSSEC, a new flag would have been
introduced along with DNSSECbis, where the record types changed so
that for resolvers implementing the older protocol, the DNSSECbis
records just looked like garbage.

Follow-Ups:
- trouble with .gov dns?
  - From: drc at virtualized.org (David Conrad)

References:
- trouble with .gov dns?
  - From: bill at herrin.us (William Herrin)
- trouble with .gov dns?
  - From: fw at deneb.enyo.de (Florian Weimer)
- trouble with .gov dns?
  - From: bill at herrin.us (William Herrin)
- trouble with .gov dns?
  - From: fw at deneb.enyo.de (Florian Weimer)
- trouble with .gov dns?
  - From: dot at dotat.at (Tony Finch)

Prev by Date: How do you put a TV station on the Mbone?
Next by Date: trouble with .gov dns?
Previous by thread: trouble with .gov dns?
Next by thread: trouble with .gov dns?
Index(es):
- Date
- Thread