Hi folks, As far as I know, in DNSSEC the validating resolver is able to identify a Bad response if signatures do not validate. But it unable to retrieve the good one for stub resolver if there are other alternatives.
I'm thinking about a draft proposal if signatures do not validate, the validating resolver can try other resolution path like DoT or DoH directly to authoritative servers or other public DNS servers which open the DNS encryption service. It aims to work around the resolution path where DNS hijack happened. Do you think it is a good idea? or a useful use case for DNS encryption in DNSEEC? Best regards, Davey
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop