In message <[email protected]>, Stephane Bortzmeyer writes: > On Thu, Sep 06, 2012 at 10:43:12AM -0700, > Wessels, Duane <[email protected]> wrote > a message of 39 lines which said: > > > I wouldn't say our setup assumes only one recursive in the path, > > >From my colleague Kim Minh Kaplan: > > In the case where one of the forwarders is non validating, it will > happily accept and cache the non signed response. When the local > validating resolver retries its query to the non validating forwarder, > the forwarder can reply with the cached, non signed answer.
And is a perfect example of why CD=1 always is *wrong* as it disables validation in the forwarder. > My understanding is that many dnssec-trigger users will be in such a > setup. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
