BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] DNSSEC
- Subject: [Discuss] DNSSEC
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Sun, 07 Dec 2014 11:38:09 -0500
- In-reply-to: <BN3PR0401MB1204647CA6E7523747D3077FDC670@BN3PR0401MB1204.namprd04.prod.outlook.com>
- References: <BN3PR0401MB1204647CA6E7523747D3077FDC670@BN3PR0401MB1204.namprd04.prod.outlook.com>
On 12/7/2014 10:58 AM, Edward Ned Harvey (blu) wrote: > What happens if the local DNS caching server is old and doesn't > support DNSSEC? What if the client has support for DNSSEC, sets > DO=1, and the caching server is old and doesn't know anything about > DNSSEC? Hopefully an old dns server is able to dumbly relay > information that it doesn't understand. According to early DNSSEC design discussions, backwards compatibility and co-existence with so-called insecure DNS is an explicit requirement [RFC 3833 -> Galvin93]. According to RFC 3597, a properly functioning resolver MUST pass on unknown records as unstructured binary data (read: no changes are permitted). RFC 3597 was written specifically to address the issue of insecure resolvers passing DNSSEC RRs. According to me, the answer to your followup question is this: given a resolver that pre-dates RFC 3597 or does not implement RFC 3597 for some technical reason (Internet of Things constraints perhaps?), you cannot rely on it to pass DNSSEC RRs. -- Rich P.
- Follow-Ups:
- [Discuss] DNSSEC
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] DNSSEC
- References:
- [Discuss] DNSSEC
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] DNSSEC
- Prev by Date: [Discuss] DNSSEC
- Next by Date: [Discuss] free SSL certs from the EFF
- Previous by thread: [Discuss] DNSSEC
- Next by thread: [Discuss] DNSSEC
- Index(es):
