recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'
dougb at dougbarton.us
Tue Aug 26 16:52:27 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 8/26/14 5:50 AM, Tomas Hozza wrote:
| On 08/26/2014 02:27 PM, Mark Andrews wrote:
|>> Why would you expect them to succeed?
| Because validation using root servers and authoritative servers
| proved that the domain is intentionally unsecure.
It seems that Mark straightened you out a bit. :) I think it's
worthwhile to discuss a little more of the theory for those watching
the thread, and for the archives.
The point of DLV initially was to provide a mechanism for sharing
trust anchors for those that did not have a path through the root
(which in the early days of course was everyone). Thus Mark's point
that the lack of a path through the root not being conclusive is quite
The other thing worth pointing out is that while it's certainly fine
to test the DLV, and understand how it works, at this point in the
evolution of DNSSEC the commonly accepted wisdom is that it should not
be used routinely; and in fact should only be used when the admin
knows that there is a TA in it that she needs, and that is not
available with a path through the root.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
-----END PGP SIGNATURE-----
More information about the bind-users