dnssec-trigger is your friend. Roy
Sent from my iPhone On 2 Oct 2012, at 20:54, Paul Vixie <[email protected]> wrote: > On 2012-10-02 7:48 PM, Warren Kumari wrote: >> DNSSEC on the *host / stub* would have though. > > this doesn't work at the moment, even when there's code on the stub that > supports it, which is rare and experimental. i occasionally turn on a > recursive name server on my laptop, but it's very rare that udp/53 is > allowed through a wireless gateway in a hotel or coffee shop, and when > it is, edns usually triggers an immune response because the gateway > "knows" that additional data sections of queries are empty. when this > doesn't fail, the multipacket response is damaged by dropping all > fragments after the first one. > > if ietf hadn't declared the dns protocol finished, and were not even now > working to close up the dnsext working group, i'd propose that we > develop a standard for carrying edns over tcp/80 and/or tcp/443, which > is for most mobile users what "the internet" consists of. > > i'm not sure how we expect DANE to make any difference when we don't > have working last mile DNSSEC. > > paul > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
