On 2 Nov 2017, at 8:04, Bob Harold wrote:
I generally agree with you, but wonder if there is a performance
penalty to
searching every possible path before failing. Is that a reasonable
concern?
These are reasonable questions, ones that were actively discussed in the
PKIX world 20+ years ago. The consensus conclusion was that any
performance penalty was worth the consistency of answers, since the
relying part (the stub resolver in our case) had no control over the
order of evaluation.
Also, if an operator does not configure DLV or local trust anchors,
then is
root the only path?
All trust anchors are "local", so the question becomes "if an operator
does not configure DLV or any trust anchors". The former is now moot,
and the latter goes against a bunch of MUST statements in the standard.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
