On Apr 29, 2020, at 8:01 PM, Michael StJohns <[email protected]> wrote: > If you've got an securely insecure (e.g. delegation was to an insecure zone > at some point) CNAME that points into a secure zone, I would say your result > is probably Bogus or Unsecure as you haven't any way to evaluate trust. I > don't think you can bootstrap security this way.
I agree that you can’t bootstrap security this way. I would agree that the answer can’t have the AD bit set. However, I don’t see why this arrangement should be considered bogus.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
