* Chris Adams:
Once upon a time, Florian Weimer <fweimer(a)redhat.com> said:
> At least that's a solvable problem: perform DNSSEC validation (to
> prevent actual attacks) and pretend to clients that you didn't do it (to
> avoid relying on signatures which aren't policy-confiorming). DNSSEC
> supports that approach quite well for ordinary record types. It's
> different from the web, where https:// and http:// are not equivalent in
> practice for many domains, and the schema is also visible to Javascript.
A validating resolver only returns validated results to clients.
There's no "validate but pretend you didn't" mode - if you are a
validating resolver, you either return the record and NOERROR, or you
set SERVFAIL.
You can return NOERROR without the AD bit. That's what I meant.
That's different from HTTPS: you can't pretend to a web page you
downloaded over HTTPS that it came in via HTTP.
Thanks,
Florian