On Mon, 30 Apr 2018, Tim Hollebeek wrote:
What about the cases we discussed where there is DNSSEC, but only for a subtree?
I don't know what that means? You mean a trust island not chained to the root? If so, then yes, that is a zone without DNSSEC since it is missing a DS in its parent (or grand parent, etc) But again, using a proper validating DNS server will handle all that for you. Paul _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy