> I appreciate that DNSSEC is there to save us from such problems, > but software has bugs and humans make mistakes and our goal ought > to be to protect the namespace expecting that those things are > true, not trying to legislate that they must be false. We have > certainly seen fixes to DNSSEC validation failures of the form > "turn off validation". Hope is not a strategy.
The advantage of DNSSEC is that a cached copy of the root zone will fail to validate in a few weeks. So I wonder if we should say something to the effect: A resolver MUST discard, ignore, or otherwise not use a local copy of the root zone if the DNSSEC validation status of the ZONEMD RRset in the zone is bogus, insecure, or indeterminate (i.e., anything other than secure). This does not mean that the resolver has to be a DNSSEC validating resolver, just that it has to validate this one RRset to be able to use a local root. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
