Comment by jcalvinowens

5 hours ago

It's not necessarily equivalent to a recursive lookup, you can ask a cache for all the answers because you already know the root keys a priori. But yes, it does follow the entire chain of trust, that's the entire point of dnssec: if you don't do that the whole exercise is utterly pointless.

3 comments

jcalvinowens

Reply
tptacek  4 hours ago

It's explicitly not the point of DNSSEC, which has for most of its entire existence been designed to be run as a server-to-server protocol, with stub resolvers trusting their upstream DNS servers.

I agree with you, though. It's utterly pointless.

  • jcalvinowens  4 hours ago

    Not true, RFC4035 says all security aware resolvers SHOULD verify the signatures. It's far from pointless when actually implemented. Don't dismiss a whole protocol just because some historical implementations have been half assed.

    • tptacek  3 hours ago

      The RFC uses "security-aware" to set them apart from ordinary resolvers, which are what every mainstream resolver uses.