[140135] in North American Network Operators' Group
Re: trouble with .gov dns?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue May 3 01:20:14 2011
From: Florian Weimer <fw@deneb.enyo.de>
To: Tony Finch <dot@dotat.at>
Date: Tue, 03 May 2011 07:19:21 +0200
In-Reply-To: <alpine.LSU.2.00.1105030042390.31133@hermes-2.csi.cam.ac.uk>
(Tony Finch's message of "Tue, 3 May 2011 00:47:15 +0100")
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* Tony Finch:
> Florian Weimer <fw@deneb.enyo.de> wrote:
>>
>> > I have "dnssec-enable no;" in my bind config.
>>
>> It does not seem to have the intended effect.
>
> BIND's interpretation of the DO bit is "I understand DNSSEC RRs so
> it is OK to send them" not "I would like you to send DNSSEC
> RRs". This is why it always sets the DO bit when it can, i.e. when
> the request contains an EDNS OPT pseudo-RR.
I would go even further---the DO bit is not about DNSSEC at all. The
resolver just promises to ignore any ancillary record sets it does not
understand. If DO were about DNSSEC, a new flag would have been
introduced along with DNSSECbis, where the record types changed so
that for resolvers implementing the older protocol, the DNSSECbis
records just looked like garbage.
