Theodore Ts'o <tytso(_at_)mit(_dot_)edu> wrote:
Speaking of which, Jim Gettys was trying to tell me yesterday that
BIND refuses to do DNSSEC lookups until the endpoint client has
generated a certificate.
That is wrong. DNSSEC validation affects a whole view - i.e. it is
effectively global.
Clients can request DNSSEC records or not, regardless of whether they do
any transaction security. Clients can do DNSSEC validation without any
private keys.
Tony.
--
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.