> > I'd like to get your feedback on > the following thoughts regarding DNSSEC HW support. > > > > Any layer 2 or 3 devices forwarding frames or packets > should not be affected by the implementation of DNSSEC > regardless of the type of protocol (TCP/UDP) or the query > size (large or small). > > > > Layer 4 devices (smart switches) should not be > affected by the implementation of DNSSEC using the same > logic. > > > > My thoughts are these products simply forward data > based on an frame, IP address, or protocol and should not be > affected by the implementation of DNSSEC. Would you > agree? > > > > Thanks in advance. > > > > I think you are basically correct except for one very > important caveat: > > DNS BGP anycasting (in wide spread use by many large > operations,) where you might need to sign zones on the fly > with special crypto hardware.
So if I'm testing a router for DNSSEC compliance, you'd recommend I run a test using RIP or OSPF, then a separate test for BGP. Is that correct? I'm trying to figure out how many tests I need to run for an individual product (layer 2, 3, 4, and 7) before I can say it is completely DNSSEC compliant. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users