[dns-operations] Research Project: Identifying DNSSEC Validators
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Sep 7 07:10:41 UTC 2012
On Thu, Sep 06, 2012 at 10:43:12AM -0700,
Wessels, Duane <dwessels at verisign.com> wrote
a message of 39 lines which said:
> I wouldn't say our setup assumes only one recursive in the path,
>From my colleague Kim Minh Kaplan:
In the case where one of the forwarders is non validating, it will
happily accept and cache the non signed response. When the local
validating resolver retries its query to the non validating forwarder,
the forwarder can reply with the cached, non signed answer.
My understanding is that many dnssec-trigger users will be in such a
setup.
More information about the dns-operations
mailing list