On 10/02/2010 10:01 AM, lst_ho...@kwsoft.de wrote:
So the problem are not resolvers unaware of DNSSEC but resolvers with
inappropriate defaults or configured wrong by accident. Additionally
this problem is not easy detectable as it can occur far downstream. So
i would say it is a valid concern for network operators to make it
possibe to force obeying DNSSEC at the border.
The problem is that if, as some people expect, DNSSEC resolution
eventually gets pushed down into "thick" client resolvers, then these
resolvers need a way to tell the upstream cache "just cache, don't check".
This, as well as debugging, is what +cd is for (see 3.2.2. of RFC 4033).
Any "ignore +cd" config would have to be I think quite complex to avoid
breaking this paradigm - probably an ACL.
I understand why you want this, but enabling such a feature (if it
existed, which it doesn't) could have adverse effects too.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
