-----BEGIN PGP SIGNED MESSAGE-----
On Mon, Sep 09, 2013 at 02:07:53PM -0700, Michael Sinatra wrote:
> What happens if people want to do DNSSEC validation? Do you let them
> use your canonical DNS servers as forwarders? Will those servers
> return DNSSEC records (e.g. DNSKEYs and RRSIGs) if a forwarder or stub
> resolver requests them?
Right now they just get the RRSIG without an AD bit set.
A few years ago, when the root zone was signed, I tried to get adoption
for us to do a full DNSSEC deployment and it rocked the boat a little;
since then I've stayed away from bringing up anything else DNSSEC related.
When our users start saying they need validated queries then we'll
probably toggle the option on our secondary servers and after a delta of
no issues we'd toggle it on our primaries. It will have to be driven by
user requests, though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.