It appears that Philip Homburg <[email protected]> said: >> > 2) There are two (or more) keys in a DNSSEC RRset that match an RRSIG recor >> d. >> > This is the expensive part. >> >> This is not expensive. It is still cheap with the limit or 2 or 3 >> failures allowed. I mean, compare this to do doing DoH to all auth >> servers, this crypto operation amounts to nothing. > >It is exactly this limit that causes trouble for some validator software.
How? I'm not being snarky, I don't see what the problem is. You set some small limit on the number of validations you do, and then give up. I hope we agree that resolvers already do that. R's, John _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
