[At-Large] DNSSEC and end users

Lutz Donnerhacke lutz at iks-jena.de
Wed Feb 9 14:01:37 UTC 2011

* Patrick Vande Walle wrote:
> Currently, with DNSSEC enabled
> on the DNS resolver you use (typically, the one assigned to you by your
> ISP), a domain name failing DNSSEC resolution returns a code to your
> browser saying the domain does not exist

Currently almost all ISP's validating resolvers will return the "invalid"
data without the AD bit set. So the widly used plugins for Firefox and MSIE
will report an warning in the address line.

I do expext this way to become the default resolution policy. If you need
the validation, you will rely on the AD bit or use the newer API
(val_get...) to provider much better error messages to the user.

More information about the At-Large mailing list