On Tue, Apr 1, 2014 at 3:39 PM, Mark Andrews <ma...@isc.org> wrote: > > As I have said many times. There is a myth that recursive servers > do not need to validate answers. Recursive servers will always > need to validate answers. Stub resolvers can't recover from recursive > servers that pass through bogus answers.
This too is going too far; of course they can, they can ask another recursive resolver. Always set CD=1 is also bad advice. Stub resolvers need to send > both CD=1 and CD=0 queries and should default to CD=0. CD=1 should > be left to the case where they get a SERVFAIL result to the CD=0 > to handle the case where the recursive server's clock is broken or > it has a bad trust anchor. > Defaulting to CD=0 renders DNSSEC, essentially, pointless. Resolvers, and the path between resolvers and stubs, are the easiest components in the lookup chain to subvert. > So they resisted the idea of an authenticated Stub-client <-> Resolver > > protocol and they dumb down the crypto so their model will work. > > DNSSEC is quite capable to protecting that path. Why do you need > a second protocol. > That statement is not consistent with setting CD=0 on that path. -- Colm
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop