> -----Original Message----- > From: ma...@isc.org [mailto:ma...@isc.org] > Sent: Tuesday, February 16, 2010 12:37 AM > To: Mark Scholten > Cc: 'Tony Finch'; nanog@nanog.org > Subject: Re: in-addr.arpa server problems for europe? > > > In message <017901caae69$5d9e8770$18db96...@nl>, "Mark Scholten" > writes: > > > > > > > -----Original Message----- > > > From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony > > > Finch > > > Sent: Monday, February 15, 2010 6:21 PM > > > To: Mark Scholten > > > Cc: nanog@nanog.org > > > Subject: RE: in-addr.arpa server problems for europe? > > > > > > On Mon, 15 Feb 2010, Mark Scholten wrote: > > > > > > > > I've seen problems that are only there because of DNSSEC, so if > there > > > is a > > > > problem starting with trying to disable DNSSEC could be a good > idea. > > > As long > > > > as not all rootzones are signed I don't see a good reason to use > > > DNSSEC at > > > > the moment. > > > > > > You realise that two of them are signed now and the rest will be > signed > > > by > > > 1st July? > > > > > > Tony. > > > > Yes, I realise that. I also realise that not all nameserver software > can > > work as it work with DNSSEC. That is also a problem that has to be > solved > > and for as far as I know all nameserver software we use support it or > will > > support it in the future. As long as it is not supported by all > nameserver > > software you can keep problems. > > Nameservers that are not DNSSEC aware will not get responses that > contain DNSSEC records unless a client explicitly requests a DNSSEC > record type or make a * (ANY) request. > > There is no problem to solve. Just a lot of misunderstanding. > > That said the majority of nameservers on the planet are DNSSEC aware > and will request the DNSSEC record to be returned. They will also > fall back to plain DNS if middleware blocks the response.
As you've understood I need to read something extra about DNSSEC support. The most things I know about DNSSEC are based on my contacts with software writers that create nameservers and system administrators maintaining multiple nameservers. So if I understand it correctly; if a resolver requests DNSSEC information (together with for example www.domain.tld) and 1 resolver before the AUTH nameserver doesn't have DNSSEC it won't ask/require DNSSEC? In that case men in the middle attacks are still possible. Also note that a provider might have multiple resolvers with some using/able to provide DNSSEC and others without DNSSEC support. Mark