Re: US government mandates? use of DNSSEC by federal agencies

• From: Steven M. Bellovin
• Date: Wed Aug 27 13:13:50 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Wed, 27 Aug 2008 09:53:26 -0700
"Kevin Oberman" <[email protected]> wrote:

> > 
> > So the question I have is... will operators (ISP, etc) turn on
> > DNSsec checking? Or a more basic question of whether you even
> > _could_ turn on checking if you were so inclined?
> 
> As far as I can see, at least with bind-9.5, operators would have to
> turn it off. It looks to me like dnssec-validation defaults to on. It
> also appears that bind-9.4 defaults to 'off'. 

Right.  The real questions are the clients and the trust anchor -- what
root key do you support?


		--Steve Bellovin, http://www.cs.columbia.edu/~smb

• Follow-Ups:
  • Re: US government mandates? use of DNSSEC by federal agencies Jeroen Massar

• References:
  • Re: US government mandates? use of DNSSEC by federal agencies Michael Thomas
  • Re: US government mandates? use of DNSSEC by federal agencies Kevin Oberman

• Prev by Date: Re: interger to I P address
• Next by Date: Re: US government mandates? use of DNSSEC by federal agencies
• Date Index
• Thread Index
• Author Index
• Historical