[Dnssec-trigger] Using dnssec-trigger when the forwarder lies

Jaap Akkerhuis jaap at NLnetLabs.nl
Tue Jan 3 11:18:53 UTC 2012

    DNSSEC trigger shouldn't have to make - or care - about the difference.

It doesn't.

    Or at least it could say "oh looks like someone is voluntarily
    tampering with the results, get a VPN"
It can only find out whether DNSSEC works or not and in the last
case, it warns that the DNS lookup is not secured by DNSSEC. There
is no way for dnssec-trigger to find out why it cannot validate the
dns lookup and so, how the user can remedy the situation. Tat has
also never been the goal. As Wouter already has said: "The mission
of dnssec-trigger is DNSSEC".


More information about the dnssec-trigger mailing list