On Mar 8, 2015, at 6:31 PM, Ralf Weber <d...@fl1ger.de> wrote: > I was told that the difference is that a security aware resolver does > not validate, but instead relies on the "Validating Stub Resolver" to > protect the user. So it would handle all the DNSSEC processing to the > authoritative and would store the records with signatures in the cache, > but it wouldn't check if they are valid.
Doesn't this create an opportunity for a DoS attack based on poisoning the cache with a record that won't validate? So I am in violent agreement with your conclusion. :) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop