> On Aug 20, 2008, at 6:56 PM, Mark Andrews wrote:
> >        DO is not controlled by dnssec-enable or dnssec-validation.
> >
> >        DNSSEC is designed to be validator to authoritative server.
> >        If you introduce caches then you need to ensure that your
> >        cache is doing something sensible.  This implies you need
> >        to control your cache.
> 
> So I guess the question is, do the versions of BIND that set DO have  
> problems when they get big answers.

        No.  They advertise what they are capable of accepting.  If
        there is broken middlewhere in between that clobbers the
        response they retry.

                [EMAIL PROTECTED] -> [EMAIL PROTECTED] -> plain DNS

> If they don't, we should be  
> okay, since (correct me if I'm wrong, Mark), they will not send those  
> answers out in response to queries that don't have the DO bit set.

        The server side honours the clients DO requests.

> However, that's a pretty big if.   Do we have any data one way or the  
> other?

        How about years of operation (going back to 9.1.0) without
        people even noticing that DO is set.  If DO caused non
        recoverable problems we would have seen them long before
        now.

        Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to