> But this isnt generally necessary. If youre doing > DNSSEC the only reason not to trust the local resolver is if it > doesnt give enough answers to construct the proofs.
How do use define local resolver? One running on the same host or one running somewhere in the local network. In general, for a mobile device, I don't trust the local network's resolver. The device could be connect to any random network. There is no reason to trust a random network operator. At the same time, the local network's resolver could have zones or views of zones that only available through that resolver. So DNSSEC validation should be done in the application (stub resolver) or in a validating proxy on the same host, but queries should be forwarded to the local network's resolver. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
