In message <5505337b.9030...@redbarn.org>, Paul Vixie writes: > what matters for DNSSEC is the end-to-end case. as long as comcast is > running DNSSEC-aware resolvers, they don't need to validate anything in > order to make DNSSEC applications like DANE workable for their > customers. and i'd rather see them turn off validation than see negative > trust anchors added to the specification.
Can we kill this myth that recursive servers do not need to validate because they do need to validate for DNSSEC to work reliably. DNSSEC only work without validation in the middle if no one is spoofing, dropping RRSIGs etc. The moment there is anything other than only good answers being cached things will go wrong. > -- > Paul Vixie -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
