Evan Hunt <[email protected]> wrote: > > No, an ANAME-aware resolver would ignore those records, re-query for > the ANAME target, and validate the response from there - same as it does > now with a CNAME. As long as the ANAME is validly signed, it's just a > chain query.
That only works if the downstream resolvers (stubs etc.) are not validating. (Or maybe if they are ANAME-aware but the upstream resolver has no way of knowing that.) Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode Malin, Hebrides: Southwest, veering northwest 5 to 7, occasionally gale 8 at first in Hebrides, then perhaps gale 8 later. Rough or very rough, becoming high later in west. Rain then snow showers. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
