[dns-operations] DNSSEC validation - salliemae.com

Jim Reid jim at rfc1035.com
Wed Aug 7 14:02:29 UTC 2019

On 7 Aug 2019, at 14:25, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> I thought DNSSEC validation was to be "all or nothing". How can you be
> doing DNSSEC validation but still passing back RR's that do not pass due
> to not having any signature ?

Because validating resolvers have configuration options to allow this.

It’s also possible that a validator has cached a (stale?) DS record and that’s allowing things to validate when they should fail - or vice versa.

More information about the dns-operations mailing list