On 8/2/22 11:51 AM, Brown, William wrote:
Or perhaps some way of the client side deciding how to handle hard v./ soft failure.
Wouldn't this require the client side being aware of DNSSEC and making decision based on it?
Maybe it's just me, but I think client application side DNSSEC validation is woefully lacking.
Maybe there could be an option to ask a recursive DNS server to do DNSSEC validation and return record data even if the validation fails. Then the client could decide to use the data or not based on it's preferences.
I feel like similar behavior can be achieved by messing with the CD / DO flags across multiple queries. But even this requires the client side being aware of DNSSEC. (See prior statement.)
I also feel like what we're discussing is dangerously close to defeating DNSSEC and antithetical to it's purpose.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users