trouble with .gov dns?

Florian Weimer fw at deneb.enyo.de
Tue May 3 05:19:21 UTC 2011


* Tony Finch:

> Florian Weimer <fw at deneb.enyo.de> wrote:
>>
>> > I have "dnssec-enable no;" in my bind config.
>>
>> It does not seem to have the intended effect.
>
> BIND's interpretation of the DO bit is "I understand DNSSEC RRs so
> it is OK to send them" not "I would like you to send DNSSEC
> RRs". This is why it always sets the DO bit when it can, i.e. when
> the request contains an EDNS OPT pseudo-RR.

I would go even further---the DO bit is not about DNSSEC at all.  The
resolver just promises to ignore any ancillary record sets it does not
understand.  If DO were about DNSSEC, a new flag would have been
introduced along with DNSSECbis, where the record types changed so
that for resolvers implementing the older protocol, the DNSSECbis
records just looked like garbage.




More information about the NANOG mailing list