On Aug 20, 2008, at 6:56 PM, Mark Andrews wrote:
       DO is not controlled by dnssec-enable or dnssec-validation.

       DNSSEC is designed to be validator to authoritative server.
       If you introduce caches then you need to ensure that your
       cache is doing something sensible.  This implies you need
       to control your cache.

So I guess the question is, do the versions of BIND that set DO have problems when they get big answers. If they don't, we should be okay, since (correct me if I'm wrong, Mark), they will not send those answers out in response to queries that don't have the DO bit set.

However, that's a pretty big if. Do we have any data one way or the other?

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to