[107160] in North American Network Operators' Group
Re: US government mandates? use of DNSSEC by federal agencies
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Aug 27 13:13:51 2008
Date: Wed, 27 Aug 2008 13:13:42 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "Kevin Oberman" <oberman@es.net>
In-Reply-To: <20080827165326.E0D204500F@ptavv.es.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Wed, 27 Aug 2008 09:53:26 -0700
"Kevin Oberman" <oberman@es.net> wrote:
> >
> > So the question I have is... will operators (ISP, etc) turn on
> > DNSsec checking? Or a more basic question of whether you even
> > _could_ turn on checking if you were so inclined?
>
> As far as I can see, at least with bind-9.5, operators would have to
> turn it off. It looks to me like dnssec-validation defaults to on. It
> also appears that bind-9.4 defaults to 'off'.
Right. The real questions are the clients and the trust anchor -- what
root key do you support?
--Steve Bellovin, http://www.cs.columbia.edu/~smb
