> On 3 Aug 2018, at 1:36 pm, Paul Wouters <p...@nohats.ca> wrote: > > On Thu, 2 Aug 2018, Paul Hoffman wrote: > >> That only works for validating resolvers. ZONEMD also is useful for >> non-validating resolvers. > >> A non-validating resolver doesn't have a validated cache. > > The internet is no place for spoofable data in any kind of protocol. > > I don't think the IETF should provide DNS-without-DNSSEC solutions, > just like we don't do SHA1 or MD5 or IKEv1 or TLS 1.0 anymore. > > We should not make things more complicated to allow for dnssecless. > > A non-validating resolver is on its own. Nothing can save it. > > Paul
+1. We don’t need to split out the hash from the signature. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
