US government mandates? use of DNSSEC by federal agencies
drc at virtualized.org
Wed Aug 27 18:41:20 CDT 2008
On Aug 27, 2008, at 11:03 AM, Michael Thomas wrote:
> Of course embedded frobs that don't
> auto-update like, oh say, your favorite router could be problematic.
You have a router that supports DNSSEC that can't be made to do some
form of auto-update?
> In any case, the point of my first question was really about the
> concern of false positives. Do we really have any idea what will
> happen if you hard fail dnssec failures?
As far as I'm aware, there is no 'soft fail' for DNSSEC failures. In
the caching servers I'm familiar with, if a name fails to validate, it
used to be that it doesn't get cached and SERVFAIL is returned. Maybe
that's been fixed?
More information about the NANOG