On Wed, 16 Aug 2017, Mukund Sivaraman wrote:
The validating resolver is half of the system. DNSSEC is brittle.
Absolutely. But before we were in a situation where people signed zones, screwed it up, and then the (sometime single) ISP running a validating resolver got the run-around "must be wrong at your end, nobody else is complaining" and the zone signing was never fixed.
Now I think we're past that. There are enough users behind validating resolvers nowadays that you can't get away with getting your signing wrong and blaming others.
Yes, we need better APIs so applications can tell the user what went wrong, instead of just throwing a DNS failure. If there is need to update the DNS specs for this to be possible, then that should be done.
-- Mikael Abrahamsson email: swm...@swm.pp.se _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
