Bottom-up DNSSEC validation
4

Security status unknown until chain is complete

Impossible to determine source of errors
Bogus or spoofed sigs?
Unsecure?

Caching forwarders
Incomplete data in answers for validation