DNSSEC ISSUE (Msg: Request is not signed)

Edward Lewis Ed.Lewis at neustar.biz
Mon Jul 16 12:05:07 UTC 2007

At 14:40 +0900 7/16/07, Curt Sampson wrote:

>I'm curious as to why this is set up this way, though. Wouldn't it make
>sense that authoratative servers, when loading or fetching the zone
>file, validate the data when loaded and then return responses with the
>AD bit set?

That was in the original design of DNSSEC.  The problem was that 
performing crypto operations takes a long time and the only thing 
proven was that your zone file was not corrupted between the time of 
signing and the loading of the zone. Too much time for no payoff.

After changing the design, we then spent a lot of time redefining the 
"AD" bit.  The question was whether the AD bit meant the server felt 
the answer was authenticated or if the AD bit meant that the answer 
was cryptographically checked. (The two questions are not the same.)

See: ftp://ftp.rfc-editor.org/in-notes/rfc3655.txt
Edward Lewis                                                +1-571-434-5468

Think glocally.  Act confused.

More information about the bind-users mailing list