On Fri, Sep 06, 2013 at 03:26:42PM +0100, Tony Finch wrote:
Theodore Ts'o <tytso(_at_)mit(_dot_)edu> wrote:
Speaking of which, Jim Gettys was trying to tell me yesterday that
BIND refuses to do DNSSEC lookups until the endpoint client has
generated a certificate.
That is wrong. DNSSEC validation affects a whole view - i.e. it is
effectively global.
Clients can request DNSSEC records or not, regardless of whether they do
any transaction security. Clients can do DNSSEC validation without any
private keys.
That's what I hoped, thanks.
- Ted