If the resolver got the tampered DNS package and the DNSSEC verification failed, the resolver should give a bogus answers to the end-user. If the DNSSEC package has been lost or dropped, the resolver which configured with weak trust anchor would give an insecure answer.
------------------ original email------------------ >From: Evan Hunt <e...@isc.org> >Reply-To: >To: haikuo<zhanghai...@cnnic.cn> >Cc: matthaeus.wan...@uni-due.de, dnsop@ietf.org >Subject: Re: [DNSOP] draft-zhang-dnsop-weak-trust-anchor.txt >Date: Sat, 31 May 2014 16:09:59 +0000 > > If the verification is failed, it should response "Bogus" > If the resolver do not get enough data to do the verification, then the > resolver which weak trust anchor should be response with "insecure" DNS > package. it is up to end-user or netizens to decide what to do next. If the resolver didn't get enough data, but should have, then the validation failed and the answer is bogus. Your proposal effectively promotes all bogus answers to insecure. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
