> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Edward Ned Harvey (lopser) > > In short, the question is: > > What is the behavior of an old dns caching server, when it receives a client > query for record types that it is too old to understand? Is it able to dumbly > relay that query upstream, and dumbly relay the response back?
Apparently, RFC 3597, published in 2003, was specifically written in preparation for this. The RFC states that a dns caching server should preserve data blobs unmodified. So, since 2010 when the root zone was signed, it seems that DNSSEC should be good and usable, and provides all upside with no downside. The only piece missing is the practical piece - Client resolvers in general right now don't request security (Come on, Microsoft, Apple, etc, get with it!) And if you want to implement DNSSEC on your domain, it's not widely supported by domain registrars & dns host providers. I checked - Godaddy offers DNSSEC as an up-charge service. Namecheap doesn't offer it in their DNS servers (I did not check if their domain registrar supports it). Amazon Route 53 doesn't support it. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
