Greetings again. Section 3 of this document says:
If any of the steps above result in an error, the validating resolver
SHOULD log them.
...and then what? Continue on merrily as if the priming worked? Just
logging the error seems like undershooting the security of using
trust anchors.
Later in that section, it says:
If a validating resolver is unable to retrieve a signed DNSKEY RRSet
corresponding to a trust anchor (i.e., prime the trust anchor), it
SHOULD log this condition as an error. Inability to prime a zone's
trust anchor results in the validating resolver's inability to
validate data from the corresponding zone. The validating resolver
SHOULD treat this zone as bogus.
It is not clear why not being able to get the DNSKEY RRSet is more
serious (and thus worth bogofying the zone) than the validating steps
not working.
Further, the last sentence has a "SHOULD" but doesn't say under what
circumstances that a resolver can ignore the "SHOULD". Why isn't this
a "MUST"?
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
