I'm thinking that maybe there's something in having DNSCurve be used for one leg of the journey, between customer and cache. Then the cache can use DNSSec to get the desired validity of data, withstanding all attempts to subvert it, and not needing to depend on any tricky key retrieval process that is out of band of the security mechanism. Will it work? Should it work? Is it reasonable? And why aren't stub resolvers being encouraged to do their own DNSSec validation? Cheers, Sabahattin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf