On Mon, Apr 03, 2017 at 03:48:49PM -0400, Paul Wouters wrote: > As Evan said, there should not be any code in an authoritative server > that requires it to do recursive validation.
I said what now? Had I recently had dental surgery? I don't remember this. If you mean the comment I made on the ANAME thread, I was just saying that it's possible to implement CNAME flattening without a built-in resolver; several implementations already do. (I do believe an authoritative server should be *able* to operate without built-in recursive code, and enabling such operation is on my list of things to get around to someday in BIND: if auth servers could be configured to use external resolvers, then security bugs affecting only the recursive code wouldn't be any risk to them. But I definitely wouldn't phrase that as "there should not be any code".) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop