> On Aug 20, 2008, at 6:00 PM, Mark Andrews wrote:
> > Caches will cope with all of the above. There may be some
> > retries. The retries will be logged by some caches. The
> > broken middle boxes will get fixed/replaced.
>
> Mark, is it the case that BIND is setting the DO bit and then not
> verifying signatures?
DO is not controlled by dnssec-enable or dnssec-validation.
DNSSEC is designed to be validator to authoritative server.
If you introduce caches then you need to ensure that your
cache is doing something sensible. This implies you need
to control your cache.
The stub to third party cache model is going away.
You won't accept incorrect data using a third party cache
but you can be DoS'd using a third party cache.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
