On Fri, 2 May 2025, Ben Schwartz wrote:
My personal unsupported assumption is that the number
of devices in the "we use the cache but don't believe what it says" camp is
small enough not to matter.
I expect you're right today, but there are definitely some folks in
DNSOP who are trying to change that. If one wants validating stubs to
be common in the future, it would seem important not to add more
stumbling blocks today.
But now we're back to assumptions about how people's DNS is set up.
If my system assumes the cache is generally trustworthy, how about if we
invent a way for the cache to say there is an NTA here for the apex of a
locally served zone so a local validator knows unsigned answers are OK.
On the other hand, if I don't think the cache is trustworthy, even if
there's an unsigned delegation at the root, why would I believe what the
cache says is under it?
If we think that DNSSEC breakage of locally served zones is a problem, we
should fix it rather than just sticking in hacks that move around where
the lies are.
R's,
John
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
