Thanks, but I'm having a hard time grokking this. It seems other on the list are as well.
On Mar 9, 2015, at 3:45 AM, Tony Finch <[email protected]> wrote: > > Paul Hoffman <[email protected]> wrote: >> >> My personal interpretation is that "validating resolver" is a synonym >> for "security-aware resolver". Do others agree? If not, how would you >> differentiate them? > > No, "security-aware" means that the doftware understands the special > semantics of RRSIG, NSEC, DS, etc. but does not necessarily validate. What does "understand" mean in that sentence? > It > is clear from RFC 4033 that validation is separate from security awareness > because of "Non-Validating Security-Aware Stub Resolver". Maybe. Note that this is the only defined term with "non-validating" in it. Was this possibly an artifact of the world-view that Ralf mentioned? > For instance, by default, BIND is a security-aware validating resolver. > (Except it can't validate anything until you configure a trust anchor.) > You can turn off validation with "dnssec-validation no" and switch it into > security-oblivious mode with "dnssec-enable no". If you turn off validation with "dnssec-validation no", in what way is it security-aware any more? --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
