On 19/10/2022 10.06, Philip Homburg wrote:
And then we end up with potentially many different implementations in applications, which seems worse to me.
That aim doesn't seem consistent with the statement that the proxy won't be trusted with DNSSEC validation. That way you still need a rather complex DNS code, ideally in a library. And you'll need to query to stub for extra records to form the whole chain, so that you even can validate. Overall I don't advise splitting DNSSEC validation away from the other stub work - cache in particular. Also because of the mechanisms that you want to happen in case validation fails.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
