On Mon, May 3, 2010 at 8:40 AM, Ziots, Edward <[email protected]> wrote: > From what I am reading non DNSSEC aware DNS servers will get the DNS > responses in > the older non-compliant format.
DNSSEC just adds some records that provide authentication information for zone data. The domain protocol is unchanged (other than some new record types). If your resolver does not request the new records, it won't even see them. If your nameserver does not provide the records, DNSSEC-aware resolvers simply won't get them, and will treat your zone(s) as unsigned. How resolvers handle unsigned zones is up to the operator of the resolver, but given the limited deployment of DNSSEC at this time, I doubt anyone's going to be doing anything soon. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
