On 08/02/2017 12:09 PM, Matthew Pounsett wrote: > In the case where 'localhost' is being passed to DNS resolution > software, a validating stub (for example inside a web browser) Ah, this may be where we are finding a disconnect. I believe web browsers never operate validating stub resolvers, but generally ask the operating system resolver library. Do you have a counter-example?
I think it's also rare for operating system resolver libraries to validate DNSSEC (rather than leaving it to an upstream recursive resolver). However, even if we take it as a given that operating system stub resolvers should implement DNSSEC validation, they clearly already treat localhost specially, so there is no reason to believe that they would start trying to validate it with DNSSEC once this document is finalized. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
