On Jul 8, 2014, at 8:45 AM, Tony Finch <d...@dotat.at> wrote: > Paul Hoffman <paul.hoff...@vpnc.org> wrote: >> On Jul 8, 2014, at 8:14 AM, Tony Finch <d...@dotat.at> wrote: >>> >>> I think that is too simplistic: simply slaving the root zone doesn't give >>> you any good way to detect or recover from a corrupted zone transfer. By >>> the time normal DNSSEC validation has detected any problems it is too >>> late. >> >> Can you give a scenario where that second sentence is true? That is, if >> a validating recursive resolver retrieves the entire signed zone, >> validates the contents, and then puts all of the contents in the cache, >> how can some problem happen "too late"? > > If you do that (i.e. if you do what your draft specifies rather than what > Ralf suggested) then you aren't simply slaving the zone (you are > validating it too) and you aren't doing normal per-query on-demand DNSSEC > validation.
Just to be clear: you are saying that what we actually say to in the draft doesn't have the "too late" issue you refer to above, correct? --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
