In response to your query on dnssec in the browser, I use this. https://addons.mozilla.org/en-us/firefox/addon/dnssec-validator/ ------Original Message------ From: Jimmy Hess To: Mark Andrews Cc: Welch, Bryan Cc: nanog@nanog.org Subject: Re: Experience with Open Source load balancers? Sent: May 17, 2011 7:07 PM On Tue, May 17, 2011 at 6:23 PM, Mark Andrews <marka@isc.org> wrote: [snip]
Better still would be for them to return AAAA records but until one is ready to do that the negative responses need to be correct.
Hm... better would be for load balancers operate transparently at Layer 3 and not tamper with the contents of answers from proper DNS servers. Eating traffic based on application content, or turning NOERROR, 0 matches into NXDOMAIN is seriously f***'ed up. I look forward to more domains having DS records published by TLDs w/ signed zones... and possibly browsers displaying warnings trying to visit HTTPS domains without a signed zone. perhaps load balancers/middle box manufacturers will start to become a little bit more honest in what they do with DNS traffic :) -- -JH Sent via BlackBerry from T-Mobile