are you saying that to pre-validate signed materials along a trust chain outside some immediate context (x) is inherently invalid? whats the limit on x? seconds? microseconds?
don't all cacheing resolves cache common path trust checks under the TTL of the elements along the path anyway? On Wed, Jul 9, 2014 at 3:45 AM, Tony Finch <d...@dotat.at> wrote: > Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > On Jul 8, 2014, at 8:14 AM, Tony Finch <d...@dotat.at> wrote: > > > > > > I think that is too simplistic: simply slaving the root zone doesn't > give > > > you any good way to detect or recover from a corrupted zone transfer. > By > > > the time normal DNSSEC validation has detected any problems it is too > > > late. > > > > Can you give a scenario where that second sentence is true? That is, if > > a validating recursive resolver retrieves the entire signed zone, > > validates the contents, and then puts all of the contents in the cache, > > how can some problem happen "too late"? > > If you do that (i.e. if you do what your draft specifies rather than what > Ralf suggested) then you aren't simply slaving the zone (you are > validating it too) and you aren't doing normal per-query on-demand DNSSEC > validation. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Viking: Variable 4 becoming north 5 to 7. Slight becoming moderate. Fog > patches then rain. Moderate or good, occasionally very poor at first. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
