In message <CAMm+LwhnDGJftdSZMyOHi3kjocP6Pw=notcnqr5kr+pomal...@mail.gmail.com> , Phillip Hallam-Baker writes: > On Mon, Mar 10, 2014 at 1:44 PM, Tony Finch <d...@dotat.at> wrote: > > > Phillip Hallam-Baker <hal...@gmail.com> wrote: > > > > > > First off it means that if the recursive is being used in discovery-only > > > mode it can simply pass data from the authoritative to the stub without > > > checking the DNSSEC chain. > > > > If the recursive server is cacheing it needs to do DNSSEC validation to > > protect its cache from poisonous authorities. > > > But that would be an offline activity rather than within the response loop > to service the request from the stub. Actually it needs to be within the response loop so it can discard bad data and move onto a different server.
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop