On Thu, 25 Feb 2010, Evan Hunt wrote:
It's going to be interesting to watch. I guess that depends on if DNSSEC is
turned on by default in BIND. Incidentally - is it?
That depends on what you mean by "turned on". The DNSSEC protocol is
enabled, and the DO bit is set in queries, so authoritative servers with
signed data will send it.
The default in Fedora has been "on" with many keys and DLV since Fedora-12.
That's about 6 months now.
(There is a built-in trust anchor for dlv.isc.org included with BIND 9.7,
but you have to turn on a config option for it to be used, and that will
not change. We would like people to trust us, and we wanted to make it
as easy as possible to do so, but we don't think we'd be worthy of trust
if we made it the default.)
That's correct. But Fedora has tested and used the DLV, and it seems
very solid, though we are looking at one bootstrap issue with VPN we
have observed, where bind could not fetch the DLV's DNSKEY to validate.
But people who are waiting for DNSSEC to "get turned on" are denialists.
Paul
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
