Here are a few more answers:How does a host or client request a DO bit? Or how do I force my caching name server to set DO on behalf of their clients?
The stub resolver doesn’t usually set the DO bit. A recursive name server with a trust anchor for a zone or following a delegation from a secure zone to a secure subzone sets the DO bit. (It makes no sense, after all, for a recursive name server to set the DO bit on a query for an RRset in a zone that isn’t signed.) So if you want to make sure that a recursive name server sets DO for queries in a particular zone, configure a trust anchor for that zone.Do these DNS keys come across in zone transfers?
Yes, DNSKEY records are just normal zone data, included in zone transfers. (A DNSKEY record specifies a public key for a zone.) The private key is not published in the zone data (because then it wouldn’t be private, would it?).What is going on outside the U.S. with respect to DNSSEC implementation?
A lot. Quite a few top-level zones have already been signed: Bulgaria’s .bg, Brazil’s .br, the Czech Republic’s .cz, Puerto Rico’s .pr (though I guess you could argue that that’s really part of the U.S.), Sweden’s .se, and Thailand’s .th. For a complete list, see the Interim Trust Anchor Repository. In my personal experience, there’s also a higher level of interest in and greater understanding of DNSSEC outside of the U.S., particularly in Europe.How quickly did Infoblox patch the Kaminsky vulnerability?
We had patches available to our customers the day Dan publicly announced that the vulnerability existed. Dan deserves much of the credit for this. He exercised responsible disclosure, working within the DNS community to ensure that patches were developed before the details of the vulnerability were publicized. And we’re members of the BIND Forum, so we got early notification of the existence of the vulnerability and early access to patches, and could begin integration and testing right away.When will Microsoft DNS Servers support DNSSEC?
In Windows Server 2008 R2. Note that, as Scott pointed out in the webinar, the name server doesn’t support NSEC3 or dynamic updates to signed zones.Is the root signed yet?
No, but it will be before the end of the year, according to the National Telecommunications and Information Administration.
More to come!