nanog mailing list archives
Re: US government mandates? use of DNSSEC by federal agencies
From: Jeroen Massar <jeroen () unfix org>
Date: Wed, 27 Aug 2008 19:25:03 +0200
Steven M. Bellovin wrote:
On Wed, 27 Aug 2008 09:53:26 -0700 "Kevin Oberman" <oberman () es net> wrote:So the question I have is... will operators (ISP, etc) turn on DNSsec checking? Or a more basic question of whether you even _could_ turn on checking if you were so inclined?As far as I can see, at least with bind-9.5, operators would have to turn it off. It looks to me like dnssec-validation defaults to on. It also appears that bind-9.4 defaults to 'off'.Right. The real questions are the clients and the trust anchor -- what root key do you support?
A distributed one. I personally don't really see an issue with downloading a public key for every TLD out there. These keys could come in a pack even by an OS distribution, nicely PGP signed et all... Nobody in his right mind manages this per box anymore anyway, and packages for distributions and auto-updates are well-present anyway. The presence of a key file can also mean to the resolver that one can/has_to check dnssec results. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- US government mandates? use of DNSSEC by federal agencies Bill Bogstad (Aug 26)
- Re: US government mandates? use of DNSSEC by federal agencies Kevin Oberman (Aug 26)
- Re: US government mandates? use of DNSSEC by federal agencies Michael Thomas (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Jared Mauch (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Leo Bicknell (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Michael Thomas (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Kevin Oberman (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Steven M. Bellovin (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Jeroen Massar (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Kevin Oberman (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Jeroen Massar (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Kevin Oberman (Aug 26)
- Re: US government mandates? use of DNSSEC by federal agencies Michael Thomas (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies Michael Thomas (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)
- Re: US government mandates? use of DNSSEC by federal agencies David Conrad (Aug 27)