[107195] in North American Network Operators' Group
Re: US government mandates? use of DNSSEC by federal agencies
daemon@ATHENA.MIT.EDU (David Conrad)
Wed Aug 27 19:41:27 2008
From: David Conrad <drc@virtualized.org>
To: Michael Thomas <mike@mtcc.com>
In-Reply-To: <48B59705.8040804@mtcc.com>
Date: Wed, 27 Aug 2008 16:41:20 -0700
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Aug 27, 2008, at 11:03 AM, Michael Thomas wrote:
> Of course embedded frobs that don't
> auto-update like, oh say, your favorite router could be problematic.
You have a router that supports DNSSEC that can't be made to do some
form of auto-update?
> In any case, the point of my first question was really about the
> concern of false positives. Do we really have any idea what will
> happen if you hard fail dnssec failures?
As far as I'm aware, there is no 'soft fail' for DNSSEC failures. In
the caching servers I'm familiar with, if a name fails to validate, it
used to be that it doesn't get cached and SERVFAIL is returned. Maybe
that's been fixed?
Regards,
-drc
