DNSSEC HW Support
prock111 at yahoo.com
prock111 at yahoo.com
Tue Mar 16 14:57:31 UTC 2010
> > I'd like to get your feedback on
> the following thoughts regarding DNSSEC HW support.
> >
> > Any layer 2 or 3 devices forwarding frames or packets
> should not be affected by the implementation of DNSSEC
> regardless of the type of protocol (TCP/UDP) or the query
> size (large or small).
> >
> > Layer 4 devices (smart switches) should not be
> affected by the implementation of DNSSEC using the same
> logic.
> >
> > My thoughts are these products simply forward data
> based on an frame, IP address, or protocol and should not be
> affected by the implementation of DNSSEC. Would you
> agree?
> >
> > Thanks in advance.
> >
>
> I think you are basically correct except for one very
> important caveat:
>
> DNS BGP anycasting (in wide spread use by many large
> operations,) where you might need to sign zones on the fly
> with special crypto hardware.
So if I'm testing a router for DNSSEC compliance, you'd recommend I run a test using RIP or OSPF, then a separate test for BGP. Is that correct?
I'm trying to figure out how many tests I need to run for an individual product (layer 2, 3, 4, and 7) before I can say it is completely DNSSEC compliant.
More information about the bind-users
mailing list