Paul Vixie <[email protected]> wrote: > > it's not the case, period. the root zone happens to be transferred using > TSIG keys between the verisign distribution servers and the root > publication servers. but for most dnssec-secured zones there is no TSIG.
That surprises me. > > With normal DNSSEC validation, resolvers have a way to recover from data > > corruption. With this local root zone proposal they do not. > > i seem to have missed a step. why? If a validating resolver gets a bogus answer it will retry the query on another server. With a local root zone you are disabling this fallback. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Fitzroy, Sole: Westerly 6 to gale 8 backing southerly or southwesterly 7 to severe gale 9, perhaps storm 10 later in east Sole. Rough or very rough. Rain or thundery showers. Moderate or poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
