> On Aug 20, 2008, at 6:00 PM, Mark Andrews wrote: > > Caches will cope with all of the above. There may be some > > retries. The retries will be logged by some caches. The > > broken middle boxes will get fixed/replaced. > > Mark, is it the case that BIND is setting the DO bit and then not > verifying signatures?
DO is not controlled by dnssec-enable or dnssec-validation. DNSSEC is designed to be validator to authoritative server. If you introduce caches then you need to ensure that your cache is doing something sensible. This implies you need to control your cache. The stub to third party cache model is going away. You won't accept incorrect data using a third party cache but you can be DoS'd using a third party cache. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop