[Dnssec-trigger] Feature creep :) was Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too. (fwd)
wouter at NLnetLabs.nl
Mon Nov 28 14:42:18 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Such caches set the RA flag on the reply. Unbound has a fallback
already builtin where it sees the RA flag and retries with +RD. It also
dislikes the result immensely, and will only try it at last resort.
Sometimes people deploy a recursor instead of authoritative slave and
this happens on the normal internet.
Dnssec-trigger in the last version notices the transparent proxy and
stop lookups (entirely!) via the transparent proxy. It does not attempt
a +RD retry via the transparent proxy, which is complicated I think,
because I am not sure how to make it work once detected: would
forward-zone: "." and a root-server forward-addr work, i.e. pretend the
root server is a cache and let the transparent proxy cache via that address?
On 11/15/2011 06:52 AM, Paul Wouters wrote:
> Should unbound and dnssec-trigger be extended to look at this?
> As Paul Vixie said before "Clear path DNS is not engineering - it is
> infomation warfare"
> ---------- Forwarded message ----------
> Date: Fri, 2 Sep 2011 03:32:09
> From: Paul Vixie <vixie at isc.org>
> To: dnssec-deployment at dnssec-deployment.org
> Subject: Re: [Dnssec-deployment] Fetching the RRSIGs can be a problem too.
>> From: Mark Andrews <marka at isc.org>
>> Date: Fri, 02 Sep 2011 10:13:48 +1000
>> Just the other day I was sitting in a hotel with "transparent"
>> intercepting DNS cache. This was not a issue for DNSSEC validation
>> because it was DNSSEC aware and returned the records which allowed
>> me to validate the responses. The only thing I need to tweak was
>> to set RD=1 on all queries or else the "transparent" intercepting
>> DNS cache wouldn't recurse for me.
> is this RD=1 fallback something we should enshrine in BIND and/or an RFC?
> dnssec-trigger mailing list
> dnssec-trigger at NLnetLabs.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the dnssec-trigger