> It's going to be interesting to watch. I guess that depends on if DNSSEC is > turned on by default in BIND. Incidentally - is it?
That depends on what you mean by "turned on". The DNSSEC protocol is enabled, and the DO bit is set in queries, so authoritative servers with signed data will send it. But the DO bit is merely a flag that says "if you send me DNSSEC signatures I won't catch fire," it doesn't actually switch on DNSSEC in any meaningful way. DNSSEC validation only becomes active when you've configured a trust anchor, and that is *not* done by default. (There is a built-in trust anchor for dlv.isc.org included with BIND 9.7, but you have to turn on a config option for it to be used, and that will not change. We would like people to trust us, and we wanted to make it as easy as possible to do so, but we don't think we'd be worthy of trust if we made it the default.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
