On 08/24/2018 02:01 AM, Paul Hoffman wrote: > Thoughts? Well, if the OS resolver is validating, it will SERVFAIL with such a query. Furthermore, if it uses aggressive caching, it may even give a negative reply without asking upstream that would answer positively. That is, unless the RFC instructs forwarding resolvers to do otherwise, but that would seem a nasty special case for little benefit.
I assume the non-validation is a conscious tradeoff, as such resolvers seem not a common OS default, and they're more likely to support DoT or DoH anyway, hopefully reducing the need for browsers to roll their own. I'm not sure I understand the motivation for the stated use case, but apparently others perceive it as useful... --Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
