> Evan Hunt <mailto:[email protected]> > Tuesday, January 13, 2015 10:41 PM > > Didn't we decide a while back that this was a bad idea, that resolvers > needed to stop trusting CNAME chains sent by authorities, and that > authorities really ought to stop sending them?
yes, we did, "unless dnssec signatures are also sent". that's in warren's proposal also. > Even if > I'm DNSSEC-validating your responses, you *could* be replaying an outdated > answer with a still-valid signature, ... no, because you could receive that signature in other ways, and so its validity-period is all that governs. -- Paul Vixie
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
