Dear dnssec-experts. I recently have found a situation where an ISP is doing "incremental rollout" of DNSSEC validation, by means of activating validation on 1 of its 3 resolvers for their customers.
Even when it could be a conservative way to help to test load and behaviour for its resolvers, I'm in a discussion if this helps at all at their customers. AFAIK every stub resolver in customer's appliances would never be protected, because a stub receiving a SERVFAIL from the validating resolver for a bogus record, would try with one of the others two, which will deliver the "wrong" answer, cause they're not validating at all. So, 1 of 3 is the same as none, from the customer side. The same with 2. The only real protection will be all resolvers doing validation. Can you confirm this? Is there any research or documentation on the way stubs works that could clarify this issue? Thanks and regards! Hugo
signature.asc
Description: PGP signature
