On Wed, Apr 2, 2014 at 2:40 PM, Mark Andrews wrote:
> > I don't think this makes much sense for a coherent resolver. If I were
> > writing a resolver, the behaviour would instead be; try really hard to
> > find a valid response, exhaust every reasonable possibility. If it can't
> > get a valid r
In message
, =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= writes:
>
> On Tue, Apr 1, 2014 at 7:49 PM, Evan Hunt wrote:
>
> > On Tue, Apr 01, 2014 at 06:25:12PM -0700, Colm MacC?rthaigh wrote:
> > > DNSSEC is a mitigation against spoofed responses, man-in-the-middle
> > > interception-and-rewriting and
On Apr 1, 2014, at 10:24 PM, Colm MacCárthaigh wrote:
>
> I don't think this makes much sense for a coherent resolver. If I were
> writing a resolver, the behaviour would instead be; try really hard to find
> a valid response, exhaust every reasonable possibility. If it can't get a
> valid
On Tue, Apr 1, 2014 at 7:49 PM, Evan Hunt wrote:
> On Tue, Apr 01, 2014 at 06:25:12PM -0700, Colm MacC?rthaigh wrote:
> > DNSSEC is a mitigation against spoofed responses, man-in-the-middle
> > interception-and-rewriting and cache compromises. These threats are
> > endpoint and path specific, so
On Tue, Apr 01, 2014 at 06:25:12PM -0700, Colm MacC?rthaigh wrote:
> DNSSEC is a mitigation against spoofed responses, man-in-the-middle
> interception-and-rewriting and cache compromises. These threats are
> endpoint and path specific, so it's entirely possible that one of your
> resolvers (or its
