US government mandates? use of DNSSEC by federal agencies

David Conrad drc at virtualized.org
Wed Aug 27 18:41:20 CDT 2008


On Aug 27, 2008, at 11:03 AM, Michael Thomas wrote:
> Of course embedded frobs that don't
> auto-update like, oh say, your favorite router could be problematic.

You have a router that supports DNSSEC that can't be made to do some  
form of auto-update?

> In any case, the point of my first question was really about the
> concern of false positives. Do we really have any idea what will
> happen if you hard fail dnssec failures?

As far as I'm aware, there is no 'soft fail' for DNSSEC failures.  In  
the caching servers I'm familiar with, if a name fails to validate, it  
used to be that it doesn't get cached and SERVFAIL is returned.  Maybe  
that's been fixed?

Regards,
-drc






More information about the NANOG mailing list