In your previous mail you wrote: On May 5, 2009, at 10:11 PM, YAO Jiankang wrote: > thanks for your information. > so we can say that in the current practise, the (validating ) > resolvers are not run by local host or machine. => between the two solutions, not-validating security-aware resolver and validating security-aware resolver, it is clear the first is far easier: it needs only to check the AD bit and to use a protected channel to get responses from a validating cache server. It is enough if handling of no validation (i.e., responses without the AD bit) is not critical, for instance in OpenSSH which includes exactly this. But if no validation or validation error cases are critical this is impossible to debug: the information which hopefully can help to understand an unexpected result is kept on the caching server. So IMHO it is an easy solution until it becomes not so easy or not easy at all...
Regards [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
