On 12/7/2014 10:58 AM, Edward Ned Harvey (blu) wrote:
What happens if the local DNS caching server is old and doesn't
support DNSSEC?  What if the client has support for DNSSEC, sets
DO=1, and the caching server is old and doesn't know anything about
DNSSEC?  Hopefully an old dns server is able to dumbly relay
information that it doesn't understand.

According to early DNSSEC design discussions, backwards compatibility and co-existence with so-called insecure DNS is an explicit requirement [RFC 3833 -> Galvin93].

According to RFC 3597, a properly functioning resolver MUST pass on unknown records as unstructured binary data (read: no changes are permitted). RFC 3597 was written specifically to address the issue of insecure resolvers passing DNSSEC RRs.

According to me, the answer to your followup question is this: given a resolver that pre-dates RFC 3597 or does not implement RFC 3597 for some technical reason (Internet of Things constraints perhaps?), you cannot rely on it to pass DNSSEC RRs.

--
Rich P.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to