On Thu, Aug 21, 2014 at 12:17:25PM +1000, Mark Andrews wrote: > If they fail it can > fallback to making iterative queries or just accept the failure.
I'd quibble with this bit: if it can make iterative queries, then we might as well just call it a validating resolver. IMHO the thing we're describing is an application that gets DNS service from a recursive resolver, but validates the answers rather than trusting them implicitly. It needs to be able to send the resolver a succession of queries to obtain the chain of trust, but it's not going to be iterating down from the root. The "delv" utility that ships with BIND 9.10 is an example. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop