On Apr 30, 2025, at 18:25, Ted Lemon <[email protected]> wrote: > > The local resolver can safely lie about the delegation, so unless the stub > resolver queries the root directly this isn’t an issue.
A validating stub resolver would indeed query the root to create the chain of trust. That's the whole point of *validating* stub resolvers. > Even if it does, unless it uses DoH, the edge router can intercept the query. The IETF does not promote "edge router can intercept the query". :-) Further, even in that scenario, then there is no reason for an insecure delegation: no delegation works fine. > But this isn’t generally necessary. If you’re doing DNSSEC the only reason > not to trust the local resolver is if it doesn’t give enough answers to > construct the proofs. You may feel that way, but that's not the model adopted by the DNSSEC standards. --Paul Hoffman _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
