On 02/17/2013 09:44 AM, Vernon Schryver wrote:
From: Robert Moskowitz <r...@htt-consult.com>
One of my secondaries, though, does not support DNSSEC
How does a secondary authoritative DNS server fail to support DNSSEC?
It's not as if it would be doing any signature checking or automagic
(re)signing. Does it not tolerate the not at all new RRSIG and
NSEC or NSEC3 record types? Or does not not haves EDNS support?
The Redhat docs on bind had a warning about not implementing features,
like DNSSEC if your secondaries doesn't support it. That is all I am
going on. I think I also saw it in some isc.org doc.
In any case, some naming and shaming seems appropriate. Basic
DNSSEC support (i.e. maybe not yet TLSA or SMIMEA) is a fundamental
checklist item today.
Go for it, Vern!
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
