On Wed, Mar 25, 2009 at 11:08:08AM -0700, Matthijs Mekking wrote: > Also following the dns64 discussion, I thought the real issue was if we > had a security-aware validating stub that does not understand > translation. The stub resolver sets the CD bit but has no clue of how to > do the translation.
That's not an issue: it's just a known breakage. If you have a translation-oblivious, validating stub resolver, and you're behind a translator, it won't work. We've decided to accept that admittedly lousy situation on the grounds that we can't do anything better, and because at this stage of DNSSEC deployment, if you know how to run a validated stub, you'll probably be able to learn about the translation and know how to upgrade your system. But yes, it's unpleasant. > By the way, does the AD bit actually says something about RRSIGs need to > be present in the response? If so, point me out 'cuz I couldn't find it. Not as far as I have been able to uncover. I'm just worried that someone might have built something making that sort of assumption. I'm glad to hear the answers are apparently, "I don't think so." A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
