[Discuss] DNSSEC
Richard Pieri
richard.pieri at gmail.com
Sun Dec 7 11:38:09 EST 2014
On 12/7/2014 10:58 AM, Edward Ned Harvey (blu) wrote:
> What happens if the local DNS caching server is old and doesn't
> support DNSSEC? What if the client has support for DNSSEC, sets
> DO=1, and the caching server is old and doesn't know anything about
> DNSSEC? Hopefully an old dns server is able to dumbly relay
> information that it doesn't understand.
According to early DNSSEC design discussions, backwards compatibility
and co-existence with so-called insecure DNS is an explicit requirement
[RFC 3833 -> Galvin93].
According to RFC 3597, a properly functioning resolver MUST pass on
unknown records as unstructured binary data (read: no changes are
permitted). RFC 3597 was written specifically to address the issue of
insecure resolvers passing DNSSEC RRs.
According to me, the answer to your followup question is this: given a
resolver that pre-dates RFC 3597 or does not implement RFC 3597 for some
technical reason (Internet of Things constraints perhaps?), you cannot
rely on it to pass DNSSEC RRs.
--
Rich P.
More information about the Discuss
mailing list