DNSSEC adoption
Grant Taylor
gtaylor at tnetconsulting.net
Tue Aug 2 18:15:44 UTC 2022
On 8/2/22 11:51 AM, Brown, William wrote:
> Or perhaps some way of the client side deciding how to handle hard v./
> soft failure.
Wouldn't this require the client side being aware of DNSSEC and making
decision based on it?
Maybe it's just me, but I think client application side DNSSEC
validation is woefully lacking.
Maybe there could be an option to ask a recursive DNS server to do
DNSSEC validation and return record data even if the validation fails.
Then the client could decide to use the data or not based on it's
preferences.
I feel like similar behavior can be achieved by messing with the CD / DO
flags across multiple queries. But even this requires the client side
being aware of DNSSEC. (See prior statement.)
I also feel like what we're discussing is dangerously close to defeating
DNSSEC and antithetical to it's purpose.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220802/516cf80f/attachment.bin>
More information about the bind-users
mailing list