Paul Hoffman <paul.hoff...@vpnc.org> wrote:
>
> My personal interpretation is that "validating resolver" is a synonym
> for "security-aware resolver". Do others agree? If not, how would you
> differentiate them?

No, "security-aware" means that the doftware understands the special
semantics of RRSIG, NSEC, DS, etc. but does not necessarily validate. It
is clear from RFC 4033 that validation is separate from security awareness
because of "Non-Validating Security-Aware Stub Resolver".

For instance, by default, BIND is a security-aware validating resolver.
(Except it can't validate anything until you configure a trust anchor.)
You can turn off validation with "dnssec-validation no" and switch it into
security-oblivious mode with "dnssec-enable no".

Tony.
-- 
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/
Faeroes: Southwest 5 or 6, becoming cyclonic then northwest later, 7 to severe
gale 9, perhaps storm 10 later. Very rough or high. Occasional rain. Moderate,
occasionally poor.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to