[107156] in North American Network Operators' Group
Re: US government mandates? use of DNSSEC by federal agencies
daemon@ATHENA.MIT.EDU (Kevin Oberman)
Wed Aug 27 12:53:37 2008
To: Michael Thomas <mike@mtcc.com>
In-Reply-To: Your message of "Wed, 27 Aug 2008 09:22:40 PDT."
<48B57F50.2040506@mtcc.com>
Date: Wed, 27 Aug 2008 09:53:26 -0700
From: "Kevin Oberman" <oberman@es.net>
X-To: Michael Thomas <mike@mtcc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1219856006_64431P
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
> Date: Wed, 27 Aug 2008 09:22:40 -0700
> From: Michael Thomas <mike@mtcc.com>
>
> Kevin Oberman wrote:
> >> Date: Tue, 26 Aug 2008 16:53:24 -0400
> >> From: "Bill Bogstad" <bogstad@pobox.com>
> >>
> >> Not sure what this will actually mean in the long run, but it's at
> >> least worth noting.
> >>
> >> http://www.gcn.com/online/vol1_no1/46987-1.html
> >> http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf
> >
> > It will mean something in the medium term as '.gov' and '.org' will be
> > signed very soon and OMB might be able to even get the root
> > signed. (Since OMB can pull funding, no one argues with them much.)
> > All of this will increase pressure on Verisign to deal with '.com' and
> > '.net'.
> >
> > Note that this only has an impact on '.gov' and the zones immediately
> > below it, but I suspect most sub-domains of *.gov will be signed as a
> > result of this, even if it is not required.
>
> So the question I have is... will operators (ISP, etc) turn on DNSsec
> checking? Or a more basic question of whether you even _could_ turn on
> checking if you were so inclined?
As far as I can see, at least with bind-9.5, operators would have to
turn it off. It looks to me like dnssec-validation defaults to on. It
also appears that bind-9.4 defaults to 'off'.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
--==_Exmh_1219856006_64431P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Exmh version 2.5 06/03/2002
iD8DBQFItYaGkn3rs5h7N1ERAkFjAJ9GukYKsM0B0wrvCwfdjQg7T+0tOQCeKRnu
p9FCDglZzaDxP1D1/FDmDRQ=
=gSmw
-----END PGP SIGNATURE-----
--==_Exmh_1219856006_64431P--
