www.ncbi.nlm.nih.gov / pubmed
Casey Deccio
casey at deccio.net
Wed Aug 18 18:28:47 UTC 2010
On Wed, Aug 18, 2010 at 10:55 AM, Dave Sparro <dsparro at gmail.com> wrote:
> It seems to me that the OP wanted a work-around to the fact that his end
> users couldn't use the website due to a validation failure.
> It still seems to me that working around that situation misses the point of
> using DNSSEC.
>
I read your response only in the context of the quoted text and didn't
notice the text from the original post asking if there was a BIND
work-around. Hence my lengthy discourse on insecure delegation...
Regarding the "work-around", I'm not sure how BIND's "keep trying"
algorithm is currently implemented and if it induces queries to other
servers to find NSEC/NSEC3 RRs if they aren't present in the first
response accompanying an NXDOMAIN or authoritative response with empty
answer section.
Regards,
Casey
More information about the bind-users
mailing list