Mark Andrews wrote:
> DO says that you *understand* DNSSEC and that it is ok to
> send a DNSSEC response. It does not mean that you will be
> validating the response.
>
> named in all production versions of BIND 9 (9.1.0 onwards)
> has set DO on all EDNS queries. BIND 9.1.1 onwards named
> copies DO to the response.
Caching servers not validating the response?
Then, the following argument applies.
> If a caching server is not required to perform public key computation
> to verify RRs before caching, cache poisoning won't be detected by
> the caching server, average clients of which suffer from long lasting
> DOS of DNSSEC verification failure, turn off DNSSEC and will be a
> victim of another poisoning on their own cache.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
