Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > My personal interpretation is that "validating resolver" is a synonym > for "security-aware resolver". Do others agree? If not, how would you > differentiate them?
No, "security-aware" means that the doftware understands the special semantics of RRSIG, NSEC, DS, etc. but does not necessarily validate. It is clear from RFC 4033 that validation is separate from security awareness because of "Non-Validating Security-Aware Stub Resolver". For instance, by default, BIND is a security-aware validating resolver. (Except it can't validate anything until you configure a trust anchor.) You can turn off validation with "dnssec-validation no" and switch it into security-oblivious mode with "dnssec-enable no". Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Faeroes: Southwest 5 or 6, becoming cyclonic then northwest later, 7 to severe gale 9, perhaps storm 10 later. Very rough or high. Occasional rain. Moderate, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop