[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnssec-deployment] some observations about .SE's DNSSEC

To: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: [dnssec-deployment] some observations about .SE's DNSSEC
From: "Olaf M. Kolkman" <olaf@NLnetLabs.nl>
Date: Fri, 28 Sep 2007 00:48:41 +0200
Cc: IETF DNSEXT WG <namedroppers@ops.ietf.org>, Jakob Schlyter <jakob@rfc.se>, Mats Dufberg <Mats.Dufberg@teliasonera.com>, Peter Koch <pk@denic.de>
In-reply-to: <200709272203.l8RM3cHE092828@drugs.dv.isc.org>
References: <200709272203.l8RM3cHE092828@drugs.dv.isc.org>


On 28Sep 2007, at 12:03 AM, Mark Andrews wrote:

The background to this story is that a popular implementation started
shipping code that sets the AD bit on validated responses even though
the DO bit was not set on the query. These answers are getting stuck
in the filters of popular DSL modems. The result being that data from
secured zones would not be resolved.


	Note this was legal to do back in 1999 when DNSSEC was first
	released.

That is noted, I think that the behavior then made sense, just as itmakes sense today.

Unfortunately we are only seeing deployment 8 years later and now theworld is stuffed with DSL modems that do not expect the AD bit to beset and are less liberal in what they except then they should.


--Olaf



-----------------------------------------------------------
Olaf M. Kolkman
NLnet Labs
http://www.nlnetlabs.nl/

Attachment: PGP.sig
Description: This is a digitally signed message part

References:
- Re: [dnssec-deployment] some observations about .SE's DNSSEC
  - From: Mark Andrews <Mark_Andrews@isc.org>

Prev by Date: Re: [dnssec-deployment] some observations about .SE's DNSSEC
Next by Date: Re: [dnssec-deployment] some observations about .SE's DNSSEC
Previous by thread: Re: [dnssec-deployment] some observations about .SE's DNSSEC
Next by thread: Re: [dnssec-deployment] some observations about .SE's DNSSEC
Index(es):
- Date
- Thread