Ralf Weber <d...@fl1ger.de> wrote: > > I think if we think of the resolver having another auth root server at > localhost the logic is easier to understand makes much more sense as > DNSSEC protections would kick in even if someone managed to inject a bad > zone.
I think that is too simplistic: simply slaving the root zone doesn't give you any good way to detect or recover from a corrupted zone transfer. By the time normal DNSSEC validation has detected any problems it is too late. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ FitzRoy: Northerly 4 or 5, increasing 6 or 7 in south, perhaps gale 8 later in southeast. Moderate, becoming moderate or rough in south. Fair. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop