> There is no requirement > to validate every RRset in a response. There can be lots of cruft > in there that isnt validated. Requiring everything to be validated > is a recipe to DoS a validator. Validators validate the parts of > the responses that are necessary to verify the answer to the question > and discard the rest. > > You seem to be under the impression that validators pass answers > through. They dont, they deconstruct the answers they receive and > reconstruct the answers they send. Even with the best of intentions > on everyones part one has to do this to prevent accidental cache > poisoning.
Indeed it depends on where your validator lives. If it is part of a recursive resolver and you have an RRset cache then validating what you put in the cache makes sense. If the validator is part of a forwarder or is part of a stub-resolver or if you have a message cache, then validating the entire reply is required (except for the additional section). _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
