On Thu, 2 Aug 2018, Paul Hoffman wrote:
That only works for validating resolvers. ZONEMD also is useful for non-validating resolvers.
A non-validating resolver doesn't have a validated cache.
The internet is no place for spoofable data in any kind of protocol. I don't think the IETF should provide DNS-without-DNSSEC solutions, just like we don't do SHA1 or MD5 or IKEv1 or TLS 1.0 anymore. We should not make things more complicated to allow for dnssecless. A non-validating resolver is on its own. Nothing can save it. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
