On Thu, Mar 30, 2017 at 07:23:46PM -0500, Brian Dickson wrote:
> What seems to be "missing" (as in, maybe it is a corner case that wasn't
> noticed before), is the ability for a security-aware resolver to "signal"
> to a stub, that it is deliberately not returning DNSSEC records, even
> though the
I have looked at the need for unsigned delegations required to satisfy stub
validators, and am interested in feedback to an idea I have: signal to the
stub, deliberate non-use of DNSSEC.
The presumption is that a stub's use of a recursive resolver involves some
degree of "trust", at least if it us