> On Aug 20, 2008, at 6:00 PM, Mark Andrews wrote:
> >        Caches will cope with all of the above.  There may be some
> >        retries.  The retries will be logged by some caches.  The
> >        broken middle boxes will get fixed/replaced.
> 
> Mark, is it the case that BIND is setting the DO bit and then not  
> verifying signatures?

        DO is not controlled by dnssec-enable or dnssec-validation.

        DNSSEC is designed to be validator to authoritative server.
        If you introduce caches then you need to ensure that your
        cache is doing something sensible.  This implies you need
        to control your cache.

        The stub to third party cache model is going away.

        You won't accept incorrect data using a third party cache
        but you can be DoS'd using a third party cache.

        Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to