Hi Philip, On 1 May 2025, at 19:10, Philip Homburg <pch-dnso...@u-1.phicoh.com> wrote:
>> The latter is true, but that doesn't explain the "No". If a stub >> resolver gets an NS record from an authoritative source (in this >> case, the root zone), and it gets a second NS record from a trusted >> source (in this case, its configured resolver), why wouldn't it >> use both of those records? I see nothing in any of the DNS standards >> that says it should not, but I might be missing something. > > I don't understand your model of a stub resolver. > > My model of a stub result is that the stub resolver formulates a DNS > query packet and sends it to a (recursive) resolver. The stub resolver > doesn't care about NS records and does not try to combine information > from multiple sources. I think a stub resolver that cares about validation does care about those things. It sends queries to its chosen resolver with CD=1 and DO=1 and gathers enough information to be able to validate the response its application is looking for from whatever trust anchors it has at its disposal. I also think that validating stub resolvers in the real world are borderline fictional, however, so it's possible that my mental model doesn't match other people's mental models and all of us are right since there's no real-world data to disagree with. Joe _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
