I'm thinking that maybe there's something in having DNSCurve be used for one
leg of the journey, between customer and cache. Then the cache can use DNSSec
to get the desired validity of data, withstanding all attempts to subvert it,
and not needing to depend on any tricky key retrieval process that is out of
band of the security mechanism.
Will it work? Should it work? Is it reasonable? And why aren't stub
resolvers being encouraged to do their own DNSSec validation?
Cheers,
Sabahattin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf