Free secondary servers supporting DNSSEC?
Robert Moskowitz
rgm at htt-consult.com
Sun Feb 17 16:31:30 UTC 2013
On 02/17/2013 09:44 AM, Vernon Schryver wrote:
>> From: Robert Moskowitz <rgm at htt-consult.com>
>> One of my secondaries, though, does not support DNSSEC
> How does a secondary authoritative DNS server fail to support DNSSEC?
> It's not as if it would be doing any signature checking or automagic
> (re)signing. Does it not tolerate the not at all new RRSIG and
> NSEC or NSEC3 record types? Or does not not haves EDNS support?
The Redhat docs on bind had a warning about not implementing features,
like DNSSEC if your secondaries doesn't support it. That is all I am
going on. I think I also saw it in some isc.org doc.
> In any case, some naming and shaming seems appropriate. Basic
> DNSSEC support (i.e. maybe not yet TLSA or SMIMEA) is a fundamental
> checklist item today.
Go for it, Vern!
More information about the bind-users
mailing list