On Feb 9, 2017, at 3:45 PM, Mark Andrews <ma...@isc.org> wrote: > At the moment we have Ted saying that if you want privacy you MUST > also turn on DNSSEC validation and implement QNAME minimisation and > implement agressive negative caching (still a I-D).
No, I am _not_ saying that. I am saying that an unsigned delegation doesn't help with privacy unless you also specially configure your local resolver, and if you are going to specially configure your local resolver, then there are several options for how to do that. The only reason you need DNSSEC is that if you specially configure your local resolver to lie, then DNSSEC validation will break that. If you aren't doing DNSSEC validation, you can say any old thing in your local resolver and the stub will believe it.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop