Vladimír Čunát wrote on 2022-02-22 14:56:
On 22/02/2022 20.02, Geoff Huston wrote:
...
I believe that the cleanest and least bug-prone way to implement this
sub-case is to simply ignore any NSEC3 records with iterations over the
limit. You do not need to check any kind of signatures or an
On 22/02/2022 20.02, Geoff Huston wrote:
I’m not sure I follow that latter comment relating to "a validating resolver
returning an insecure response" - Do you mean:
a) - a DNSSEC-validation capable resolver responding to a query that had the CD
bit set?
b) - a DNSSEC-validation capable resolv
> On 22 Feb 2022, at 10:29 pm, Vladimír Čunát
> wrote:
>
> On 09/02/2022 22.41, Wes Hardaker wrote:
>> So I've re-arranged things a bit to hopefully address the flow better.
>> Let em know if you think further improvements are warranted.
>>
> I'd still probably suggest at least a minimalist cha
On 09/02/2022 22.41, Wes Hardaker wrote:
So I've re-arranged things a bit to hopefully address the flow better.
Let em know if you think further improvements are warranted.
I'd still probably suggest at least a minimalist change like:
-Note that a validating resolver MUST still validate the sig
