In message <[email protected]>, Andrew Sullivan writes:
> Note that each end node is in a position to do this for itself. If a
> request arrives at a recursive, validating resolver with the CD bit
> set, then that recursive resolver MUST return whatever security data
> it gets to the originating queryier. It also MAY do validation
> itself according to local policy, but it's not allowed to return
> SERVFAIL if the validation fails: it's just supposed to hand back the
> apparently-bogus answer anyway. This allows for the case where the
> end node has a trust anchor that will allow the response to validate,
> even though the intermediate system (i.e. recursing resolver) doesn't.
Or clock skew or ....
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
