On Jul 8, 2014, at 8:14 AM, Tony Finch <d...@dotat.at> wrote:

> Ralf Weber <d...@fl1ger.de> wrote:
>> 
>> I think if we think of the resolver having another auth root server at
>> localhost the logic is easier to understand makes much more sense as
>> DNSSEC protections would kick in even if someone managed to inject a bad
>> zone.
> 
> I think that is too simplistic: simply slaving the root zone doesn't give
> you any good way to detect or recover from a corrupted zone transfer. By
> the time normal DNSSEC validation has detected any problems it is too
> late.

Can you give a scenario where that second sentence is true? That is, if a 
validating recursive resolver retrieves the entire signed zone, validates the 
contents, and then puts all of the contents in the cache, how can some problem 
happen "too late"?

--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to