On Mar 15, 2015, at 6:14 AM, Mark Andrews <ma...@isc.org> wrote: > Can we kill this myth that recursive servers do not need to validate > because they do need to validate for DNSSEC to work reliably. DNSSEC > only work without validation in the middle if no one is spoofing, dropping > RRSIGs etc. The moment there is anything other than only good answers > being cached things will go wrong.
+1 Of course, what goes wrong is that the response can't be validated, so DNSSEC is still doing its job, but it can prevent cache poisoning if validation is done in the cache, and cannot if it is not. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
