[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

Paul Vixie paul at vix.com
Tue May 27 05:50:05 UTC 2008

> 	What additional traffic?  It's still a validating stub resolver.
> 	It's still using the local caching nameserver.  The only time it
> 	would have to be a full iterative resolver is when the local caching
> 	server doesn't know how to pass through the DNSSEC data.
> 	Mark

forgive my ignorance, if that's what it is, but a validating stub will never
see the DS RRs for intermediate zone cuts between the RRset it's validating
and the trust anchors it has, since it's not doing downward iteration and the
DS RRs are normally learnt as side effects of downward delegation.  how is a
validating stub resolver going to know a chain of trust without querying for
DS RRs, more or less like "the grandfather problem" except pretty much always?

More information about the dns-operations mailing list