US government mandates? use of DNSSEC by federal agencies

Jeroen Massar jeroen at
Wed Aug 27 12:25:03 CDT 2008

Steven M. Bellovin wrote:
> On Wed, 27 Aug 2008 09:53:26 -0700
> "Kevin Oberman" <oberman at> wrote:
>>> So the question I have is... will operators (ISP, etc) turn on
>>> DNSsec checking? Or a more basic question of whether you even
>>> _could_ turn on checking if you were so inclined?
>> As far as I can see, at least with bind-9.5, operators would have to
>> turn it off. It looks to me like dnssec-validation defaults to on. It
>> also appears that bind-9.4 defaults to 'off'. 
> Right.  The real questions are the clients and the trust anchor -- what
> root key do you support?

A distributed one. I personally don't really see an issue with
downloading a public key for every TLD out there. These keys could come
in a pack even by an OS distribution, nicely PGP signed et all...
Nobody in his right mind manages this per box anymore anyway, and
packages for distributions and auto-updates are well-present anyway.

The presence of a key file can also mean to the resolver that one
can/has_to check dnssec results.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the NANOG mailing list