Hi folks,

As far as I know, in DNSSEC the validating resolver is able to identify a
Bad response if signatures do not validate. But it unable to retrieve the
good one for stub resolver if there are other alternatives.

I'm thinking about a draft proposal if signatures do not validate, the
validating resolver can try other resolution path like DoT or DoH directly
to authoritative servers or other public DNS servers which open the DNS
encryption service. It aims to  work around the resolution path where DNS
hijack happened.

Do you think it is a good idea? or a useful use case for DNS encryption in
DNSEEC?

Best regards,
Davey
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to