Paul Hoffman <paul.hoff...@vpnc.org> wrote: > On Jul 8, 2014, at 8:14 AM, Tony Finch <d...@dotat.at> wrote: > > > > I think that is too simplistic: simply slaving the root zone doesn't give > > you any good way to detect or recover from a corrupted zone transfer. By > > the time normal DNSSEC validation has detected any problems it is too > > late. > > Can you give a scenario where that second sentence is true? That is, if > a validating recursive resolver retrieves the entire signed zone, > validates the contents, and then puts all of the contents in the cache, > how can some problem happen "too late"?
If you do that (i.e. if you do what your draft specifies rather than what Ralf suggested) then you aren't simply slaving the zone (you are validating it too) and you aren't doing normal per-query on-demand DNSSEC validation. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Viking: Variable 4 becoming north 5 to 7. Slight becoming moderate. Fog patches then rain. Moderate or good, occasionally very poor at first. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
