[Unbound-users] Forwarding failing when DNSSec is enabled
wouter at NLnetLabs.nl
Thu Jul 2 14:57:01 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
On 07/02/2009 04:54 PM, Leen Besselink wrote:
> Does this information help?
>> Yes, it does take away my uncertainty about if I understand correctly how DNSSEC works.
>> It's not possible for Unbound to ask the forwarded for the specific record (I think it's something like KEY) ?
>> Or would a forwarder strip that also ?
>> Or would all these extra requests delay the whole thing far to much and is that a good reason not do it ?
The problem is that the signature should be kept with the data. If you
ask for the signature and data separately you do not know if they match.
In fact they may very well be from different versions of the zone,
therefore in DNSSEC the signatures are sent together with the data.
It would also be slower, yeah.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users