> Date: Wed, 27 Aug 2008 09:22:40 -0700 > From: Michael Thomas <[EMAIL PROTECTED]> > > Kevin Oberman wrote: > >> Date: Tue, 26 Aug 2008 16:53:24 -0400 > >> From: "Bill Bogstad" <[EMAIL PROTECTED]> > >> > >> Not sure what this will actually mean in the long run, but it's at > >> least worth noting. > >> > >> http://www.gcn.com/online/vol1_no1/46987-1.html > >> http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf > > > > It will mean something in the medium term as '.gov' and '.org' will be > > signed very soon and OMB might be able to even get the root > > signed. (Since OMB can pull funding, no one argues with them much.) > > All of this will increase pressure on Verisign to deal with '.com' and > > '.net'. > > > > Note that this only has an impact on '.gov' and the zones immediately > > below it, but I suspect most sub-domains of *.gov will be signed as a > > result of this, even if it is not required. > > So the question I have is... will operators (ISP, etc) turn on DNSsec > checking? Or a more basic question of whether you even _could_ turn on > checking if you were so inclined?
As far as I can see, at least with bind-9.5, operators would have to turn it off. It looks to me like dnssec-validation defaults to on. It also appears that bind-9.4 defaults to 'off'. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
pgpaoRvrXRBfz.pgp
Description: PGP signature