> Partially. I believe the DNSSEC validation and following the > CNAME-chain have to be implemented in the same routine. This is > because to perform an authenticated denial of existence, you first > need to know which name and rrtype you want to prove does not exist.
DNSSEC validation follows the CNAME-chain that is part of validation. However, the ultimate user of the data also has to follow the CNAME-chain to avoid picking up unwanted additional records in the answer section. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
