On Oct 7, 2021, at 10:43, Brian Dickson <[email protected]> wrote:
>> Do you mean reliably determine if a resolver is claiming to validate, or >> reliably determine whether a resolver is actually validating? >> > Claiming… if the answer is that it is not claiming that, it might simplify > some parts of the logic on use of CD. > > If there isn’t any way to reliably determine that it is claiming to validate, > that is unfortunate, and then begs the question on whether it is worth doing > anything about it. I'm not sure what value such a claim would have anyway. If you need to be sure that something is correct to the extent that you require cryptographic proof, then you need cryptographic proof. This surely means you need to establish a path of trust from an anchor to the leaf you care about. Some unsigned promise from an external system to behave in any particular way surely doesn't meet the bar; if it does, then perhaps you don't in fact require cryptographic proof. So I think your question needs work. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
