On Thu, Oct 23, 2014 at 11:00:31AM -0700, Paul Hoffman wrote: > > That's a fair question. I'm much more interested in validating than > recursive. I don't believe that enough upstream resolvers will > reliably get the end system answers that can be validated, so the > validating end system will have to be able to be a recursive some of > the time anyway.
What is certainly true is that a validating stub that needs missing DNSSEC data will have to go get it, and this makes it considerably less stubby. But there are two things to keep in mind. First, at least some recursive resolvers are going to do the right and useful thing when they get CD=1, because they'll also do validation themselves (even if they pass on bogus data), and they'll cache the resulting data needed for validation. Second, that cached data itself can then be used by others also. Indeed, with the larger RRset sizes of DNSSEC-signed data, there's a good argument to be made that caches become _more_ important, not less. Best regards, A -- Andrew Sullivan [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
