Dave Lawrence <[email protected]> wrote: > > In the large I agree with you, but I think there's more to it than > that. If it pushed me DNSSEC records that I could verify myself from > my own configured trust anchor, why can't I trust them then?
I've been idly wondering about this from the point of view of RFC 2181 trust ranking: to what extent does it make sense to promote the rank of data (e.g. additional records) that has been validated? The risk, I think, is replaying stale data - there shouldn't be any worse consequences. So it should amount to a DoS attack (and there are easier ways to achieve one of those). Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Shannon: Northerly 3 or 4, occasionally 5 in east. Moderate. Mainly fair. Good. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
