On 06/22/2018 12:27 AM, Ted Lemon wrote: > Thanks. In the case where a zone isn’t signed but the authoritative > server supports SIG(0), the response could be verified that it > includes exactly what the server sent. But the KEY would need to be > DNSSEC validated or it probably can’t be trusted to verify the SIG(0) > response.
Well, the path to the resolver can be secured via other means that are commonly available nowadays, e.g. DNS over TLS. I can also see use cases for client trusting a resolver enough not to bother with DNSSEC validation locally. --Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop