On Aug 20, 2008, at 6:56 PM, Mark Andrews wrote:
DO is not controlled by dnssec-enable or dnssec-validation.DNSSEC is designed to be validator to authoritative server. If you introduce caches then you need to ensure that your cache is doing something sensible. This implies you need to control your cache.
So I guess the question is, do the versions of BIND that set DO have problems when they get big answers. If they don't, we should be okay, since (correct me if I'm wrong, Mark), they will not send those answers out in response to queries that don't have the DO bit set.
However, that's a pretty big if. Do we have any data one way or the other?
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
