It appears that Willem Toorop <[email protected]> said: >So in theory, the resolver could do with a transfer of the zone without >the RRSIGs for the DSes, provided (for example) that there is also a >ZONEMD + RRSIG for the unsigned data ...
>Only for validating clients (still rare?) that will query for the DS of >the delegations explicitly, an exception needs to be made and a query >needs to go to the root server to get the DS with RRSIG then anyway. This is starting to bleed into DELEG. The main point here is that if you are sure you can trust whatever is giving you your DNS answers, you can skip the validation. (We'll skip over the detail that there are basically no validating clients, so in practice we do so now even without a trusted channel.) That's clearly the direction we're going so we might give some thouught about how to get there without reinventing the wheel more times than we have to. R's, John _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
