On Jul 8, 2014, at 8:14 AM, Tony Finch <d...@dotat.at> wrote: > Ralf Weber <d...@fl1ger.de> wrote: >> >> I think if we think of the resolver having another auth root server at >> localhost the logic is easier to understand makes much more sense as >> DNSSEC protections would kick in even if someone managed to inject a bad >> zone. > > I think that is too simplistic: simply slaving the root zone doesn't give > you any good way to detect or recover from a corrupted zone transfer. By > the time normal DNSSEC validation has detected any problems it is too > late.
Can you give a scenario where that second sentence is true? That is, if a validating recursive resolver retrieves the entire signed zone, validates the contents, and then puts all of the contents in the cache, how can some problem happen "too late"? --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop