in-addr.arpa server problems for europe?

Mark Andrews marka at isc.org
Mon Feb 15 23:37:05 UTC 2010


In message <017901caae69$5d9e8770$18db9650$@nl>, "Mark Scholten" writes:
> 
> 
> > -----Original Message-----
> > From: Tony Finch [mailto:fanf2 at hermes.cam.ac.uk] On Behalf Of Tony
> > Finch
> > Sent: Monday, February 15, 2010 6:21 PM
> > To: Mark Scholten
> > Cc: nanog at nanog.org
> > Subject: RE: in-addr.arpa server problems for europe?
> > 
> > On Mon, 15 Feb 2010, Mark Scholten wrote:
> > >
> > > I've seen problems that are only there because of DNSSEC, so if there
> > is a
> > > problem starting with trying to disable DNSSEC could be a good idea.
> > As long
> > > as not all rootzones are signed I don't see a good reason to use
> > DNSSEC at
> > > the moment.
> > 
> > You realise that two of them are signed now and the rest will be signed
> > by
> > 1st July?
> > 
> > Tony.
> 
> Yes, I realise that. I also realise that not all nameserver software can
> work as it work with DNSSEC. That is also a problem that has to be solved
> and for as far as I know all nameserver software we use support it or will
> support it in the future. As long as it is not supported by all nameserver
> software you can keep problems.

Nameservers that are not DNSSEC aware will not get responses that
contain DNSSEC records unless a client explicitly requests a DNSSEC
record type or make a * (ANY) request.

There is no problem to solve.  Just a lot of misunderstanding.

That said the majority of nameservers on the planet are DNSSEC aware
and will request the DNSSEC record to be returned.  They will also
fall back to plain DNS if middleware blocks the response.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org




More information about the NANOG mailing list