* Chris Adams: > Once upon a time, Florian Weimer <fwei...@redhat.com> said: >> At least that's a solvable problem: perform DNSSEC validation (to >> prevent actual attacks) and pretend to clients that you didn't do it (to >> avoid relying on signatures which aren't policy-confiorming). DNSSEC >> supports that approach quite well for ordinary record types. It's >> different from the web, where https:// and http:// are not equivalent in >> practice for many domains, and the schema is also visible to Javascript. > > A validating resolver only returns validated results to clients. > There's no "validate but pretend you didn't" mode - if you are a > validating resolver, you either return the record and NOERROR, or you > set SERVFAIL.
You can return NOERROR without the AD bit. That's what I meant. That's different from HTTPS: you can't pretend to a web page you downloaded over HTTPS that it came in via HTTP. Thanks, Florian _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
