> It seems to me that a bare validator, freshly started, with no cache
> and no special configuration, knows nothing about what zones in the
> world are secured and which are not.

such a construct -might- be built, but of little or no use.
this is analogous to a "bare" resolver with no cache or special
configuration ... knowing nothing about where to send queries.
without "belt/suspenders", the resolver is kind of useless.

> Hand-configuring your validator to tell it "ORG is signed, root is
> signed, don't believe anybody who tells you otherwise" would
> presumably fix that. But replicating such dynamic information by way
> of static configuration in millions of independently-managed resolvers
> doesn't seem very scaleable.
> Perhaps it's sufficient just to tell your validator "the root is
> signed, don't believe answers which suggest otherwise". But that
> requires a signed root, and in the mean time DNSSEC isn't providing
> any protection from middleboxes.

again, this is almost exactly the problem of maintaining
the root.cache file. some folks maintain their copies by
hand, some download from random sites (l.o.f).

the trick here is key maintainance/distribution. its not
a protocol issue.

> Joe


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.