[Dnssec-trigger] Feature creep :) was Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too. (fwd)

Paul Wouters paul at xelerance.com
Tue Nov 15 05:52:31 UTC 2011

Should unbound and dnssec-trigger be extended to look at this?

As Paul Vixie said before "Clear path DNS is not engineering - it is infomation warfare"


---------- Forwarded message ----------
Date: Fri, 2 Sep 2011 03:32:09
From: Paul Vixie <vixie at isc.org>
To: dnssec-deployment at dnssec-deployment.org
Subject: Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too.

> From: Mark Andrews <marka at isc.org>
> Date: Fri, 02 Sep 2011 10:13:48 +1000
> Just the other day I was sitting in a hotel with "transparent"
> intercepting DNS cache.  This was not a issue for DNSSEC validation
> because it was DNSSEC aware and returned the records which allowed
> me to validate the responses.  The only thing I need to tweak was
> to set RD=1 on all queries or else the "transparent" intercepting
> DNS cache wouldn't recurse for me.

is this RD=1 fallback something we should enshrine in BIND and/or an RFC?

More information about the dnssec-trigger mailing list