[140128] in North American Network Operators' Group
Re: trouble with .gov dns?
daemon@ATHENA.MIT.EDU (Tony Finch)
Mon May 2 19:47:28 2011
Date: Tue, 3 May 2011 00:47:15 +0100
From: Tony Finch <dot@dotat.at>
To: Florian Weimer <fw@deneb.enyo.de>
In-Reply-To: <87zkn5t3fo.fsf@mid.deneb.enyo.de>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Florian Weimer <fw@deneb.enyo.de> wrote:
>
> > I have "dnssec-enable no;" in my bind config.
>
> It does not seem to have the intended effect.
BIND's interpretation of the DO bit is "I understand DNSSEC RRs so it is
OK to send them" not "I would like you to send DNSSEC RRs". This is why it
always sets the DO bit when it can, i.e. when the request contains an EDNS
OPT pseudo-RR.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5
or 6 later. Rough or very rough. Occasional rain. Moderate or good,
occasionally poor.
