[dns-operations] DNSSEC validation - salliemae.com

[Jim Reid]

On 7 Aug 2019, at 14:25, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> 
> I thought DNSSEC validation was to be "all or nothing". How can you be
> doing DNSSEC validation but still passing back RR's that do not pass due
> to not having any signature ?

Because validating resolvers have configuration options to allow this.

It’s also possible that a validator has cached a (stale?) DS record and that’s allowing things to validate when they should fail - or vice versa.