To:
dnssec@cafax.se
From:
Rob Austein <sra+dnssec@hactrn.net>
Date:
Mon, 10 May 2004 19:32:46 -0400
In-Reply-To:
<200405102304.i4AN4CV13517@boreas.isi.edu>
Sender:
owner-dnssec@cafax.se
User-Agent:
Wanderlust/2.10.1 (Watching The Wheels) Emacs/21.3 Mule/5.0 (SAKAKI)
Subject:
Re: dnssec: resolver - application communication
I have a couple of messages on this thread queued up on cafax from before I remembered which address I'd used to subscribe, but the gist was: a) See the discussion in draft-ietf-dnsext-dns-threats, particularly "Betrayal by Trusted Server". b) The definition of the CD bit changed between RFC 2535 and DNSSECbis (this should not be news, since the WG discussed it at length). The main point of the change was to make verifying stub resolvers possible. c) Please see the definition of the CD bit in the DNSSECbis specs: if it's still not useful for this, please say so (and why), ASAP. The general idea is that sig verification is essentially an end-to-end process (trust relationship between zone signer and verifier), whereas resolution per se is more of a hop-by-hop thing when one considers stub resolvers, forwarders, and other fun.