On 21 September 2014 19:14, bert hubert <bert.hub...@netherlabs.nl> wrote:
> On Sun, Sep 21, 2014 at 08:13:46AM -0700, Paul Hoffman wrote: > > > > PS: the above is currently not yet supported for DNSSEC domains! > > > > Can you say (much) more about that aside? Does it mean that the server > > > An interesting opening is that we'd be signing potentially unsigned data > this way. Potentially, we should check for the AD bit. But first let's see > how this idea fits. > > Must validate the response. Otherwise bad actor can just toss in a bogus AD bit!
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
