On Aug 20, 2008, at 6:56 PM, Mark Andrews wrote:
DO is not controlled by dnssec-enable or dnssec-validation.
DNSSEC is designed to be validator to authoritative server.
If you introduce caches then you need to ensure that your
cache is doing something sensible. This implies you need
to control your cache.
So I guess the question is, do the versions of BIND that set DO have
problems when they get big answers. If they don't, we should be
okay, since (correct me if I'm wrong, Mark), they will not send those
answers out in response to queries that don't have the DO bit set.
However, that's a pretty big if. Do we have any data one way or the
other?
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop