Date: Wed, 27 Aug 2008 09:22:40 -0700 From: Michael Thomas <mike@mtcc.com>
Kevin Oberman wrote:
Date: Tue, 26 Aug 2008 16:53:24 -0400 From: "Bill Bogstad" <bogstad@pobox.com>
Not sure what this will actually mean in the long run, but it's at least worth noting.
http://www.gcn.com/online/vol1_no1/46987-1.html http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf
It will mean something in the medium term as '.gov' and '.org' will be signed very soon and OMB might be able to even get the root signed. (Since OMB can pull funding, no one argues with them much.) All of this will increase pressure on Verisign to deal with '.com' and '.net'.
Note that this only has an impact on '.gov' and the zones immediately below it, but I suspect most sub-domains of *.gov will be signed as a result of this, even if it is not required.
So the question I have is... will operators (ISP, etc) turn on DNSsec checking? Or a more basic question of whether you even _could_ turn on checking if you were so inclined?
As far as I can see, at least with bind-9.5, operators would have to turn it off. It looks to me like dnssec-validation defaults to on. It also appears that bind-9.4 defaults to 'off'. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751