US government mandates? use of DNSSEC by federal agencies

Kevin Oberman oberman at
Wed Aug 27 11:53:26 CDT 2008

> Date: Wed, 27 Aug 2008 09:22:40 -0700
> From: Michael Thomas <mike at>
> Kevin Oberman wrote:
> >> Date: Tue, 26 Aug 2008 16:53:24 -0400
> >> From: "Bill Bogstad" <bogstad at>
> >>
> >> Not sure what this will actually mean in the long run, but it's at
> >> least worth noting.
> >>
> >>
> >>
> > 
> > It will mean something in the medium term as '.gov' and '.org' will be
> > signed very soon and OMB might be able to even get the root
> > signed. (Since OMB can pull funding, no one argues with them much.)
> > All of this will increase pressure on Verisign to deal with '.com' and
> > '.net'.
> > 
> > Note that this only has an impact on '.gov' and the zones immediately
> > below it, but I suspect most sub-domains of *.gov will be signed as a
> > result of this, even if it is not required.
> So the question I have is... will operators (ISP, etc) turn on DNSsec
> checking? Or a more basic question of whether you even _could_ turn on
> checking if you were so inclined?

As far as I can see, at least with bind-9.5, operators would have to
turn it off. It looks to me like dnssec-validation defaults to on. It
also appears that bind-9.4 defaults to 'off'. 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list