Force Bind caching resolver to always obey DNSSSEC
Barry Margolin
barmar at alum.mit.edu
Sat Oct 2 02:27:11 UTC 2010
In article <mailman.265.1285967251.555.bind-users at lists.isc.org>,
lst_hoe02 at kwsoft.de wrote:
> Zitat von Alan Clegg <aclegg at isc.org>:
>
> > On 10/1/2010 4:50 PM, lst_hoe02 at kwsoft.de wrote:
> >
> >> Sorry for being unclear. We want the SERVFAIL as it should be for
> >> invalid DNSSEC data *in all cases* eg. even if a client ask with the
> >> cdflag (checking disable) set.
> >
> > CD means "don't check", so you can't by definition.
> >
> > AlanC
> >
>
> That i was afraid of. It's a pitty that there is no way to save the
> downstream clients from stupid resolvers/downstream caches.
Since CD is not set by default, a "stupid resolver" that doesn't know
about DNSSEC won't set it. Someone has to go out of their way to
request this behavior.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list