In message <[email protected]>, Florian Weimer writes: > * Paul Wouters: > > > Sorry, I mistook the flags in the struct to be the DNS flags. Let me > > rephrase it as "a DNS API call that returns the presence or lack of > > AD bit" > > I think this focus on the AD bit is a grave mistake. There are other > technologies for securing DNS data. At least one of them (installing > an authenticated copy of the zone in the resolver) is superior to > DNSSEC according to various criteria, but full implementation requires > that the resolver clears the AD bit.
You can set AD=1 with a local copy of the zone. I actually run named locally like this with full dnssec validation of results returned from the local zone. You can also just assert AD=1 without doing validation if that is what your local policy states on secure transfer. > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
