In message <20131106033003.gb6...@dyn.com>, Andrew Sullivan writes: > On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote: > > > > I think every major residential ISP in the US has been doing this for 5+ > > years now. > > Comcast doesn't, because it breaks DNSSEC.
Only if you are validating. BIND suppports DNSSEC aware NXDOMAIN redirection. If the NXDOMAIN response is verifiable and you set DO=1 on the query the redirection will not occur. Similar logic is implemented in DNS64 support. > A > > -- > Andrew Sullivan > Dyn, Inc. > asulli...@dyn.com > v: +1 603 663 0448 > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org