The last mile problem still remains, some says run full validator atend, others say wider channel from validating resolver to stub- resolver,so far the WG has not seen any proposals to address this.
Well, running a full validator at the end does not solve the last- mile problem. Not unless we have a standardized mechanism for applications to specify their validating policies to the validating stub resolver, and not unless we have a standardized way for applications to get the results of validation from the validating stub resolver (may I now refer you to draft-hayatnagarkar-dnsext- validator-api :) ).
Even without a full validator at the end, we (as a working group) have yet to decide what level of validation information and policy must be extruded on-the-wire. Whatever information we do choose to carry on-the-wire, it still needs to be consistent with the results returned by a validating stub resolver since the API will for applications has to be the same.
The last time I asked informally, the answer that I got was that API work was not within the scope of this working group, and extruding detailed validation policy and authentication chain information on- the-wire, even though within scope, was a bad idea. Is this still the working groups sentiment? If draft-hayatnagarkar-dnsext-validator-api is not within scope for DNSEXT, which working group is better suited to standardize last-mile issues/solutions?
Suresh -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>