In article <mailman.736.1336590990.63724.bind-us...@lists.isc.org>, Tony Finch <d...@dotat.at> wrote:
> Gaurav Kansal <gaurav.kan...@nic.in> wrote: > > > DNSSEC is done on Authoritative side. > > Signing is done on authority servers. It's straightforward with > inline-signing mode, or if you maintain your zone with dynamic updates. > > > Caching DNS only check whether that particular domain is signed or not, > > only if that caching DNS is designed to do so. > > Validation is done on caches. In my experience validation is a pretty > untroublesome feature to enable, provided you aren't completely hammering > your name servers. It's only untroublesome until someone screws things up on their auth server. When one of your users can't access something.gov, they'll complain to YOU, even though it's mostly out of your hands. This is true for other problems on auth servers as well, of course. But DNSSEC is new enough that there tend to be more failures of this kind, even by organizations that until now have seemed to know what they're doing. -- Barry Margolin Arlington, MA _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users