> On 2 May 2025, at 02:07, Paul Hoffman <[email protected]> wrote: > > On Apr 30, 2025, at 18:25, Ted Lemon <[email protected]> wrote: >> >> The local resolver can safely lie about the delegation, so unless the stub >> resolver queries the root directly this isn’t an issue. > > A validating stub resolver would indeed query the root to create the chain of > trust. That's the whole point of *validating* stub resolvers.
A validating stub resolver asks the recursive resolver for the DS records which returns the NODATA proof from the root servers or returns from its local copy of the root zone. >> Even if it does, unless it uses DoH, the edge router can intercept the query. > > The IETF does not promote "edge router can intercept the query". :-) Further, > even in that scenario, then there is no reason for an insecure delegation: no > delegation works fine. > >> But this isn’t generally necessary. If you’re doing DNSSEC the only reason >> not to trust the local resolver is if it doesn’t give enough answers to >> construct the proofs. > > You may feel that way, but that's not the model adopted by the DNSSEC > standards. > > --Paul Hoffman > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
