Free secondary servers supporting DNSSEC?
Mark Andrews
marka at isc.org
Sun Feb 17 21:21:35 UTC 2013
In message <alpine.LSU.2.00.1302171800460.731 at hermes-1.csi.cam.ac.uk>, Tony Fin
ch writes:
> Vernon Schryver <vjs at rhyolite.com> wrote:
> >
> > How does a secondary authoritative DNS server fail to support DNSSEC?
>
> A security-aware authoritative server has to support:
>
> * EDNS0 and DO
> * RRSIG records alongside the RRsets they cover in responses
> * Special logic for DS in parent zones
> * NSEC or NSEC3 in negative and wildcard responses
Well that's been available for 8 years now. Even Microsoft support
it in their servers. NSEC3 support has been available for 4 years.
It's hard to find servers that don't support DNSSEC out of the box
these days.
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
> occasionally poor at first.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list