* Jim Reid: > On 15 Jan 2010, at 13:20, Florian Weimer wrote: > >> DO is rather pointless because the priming response cannot be >> validated anyway (even if ROOT-SERVERS.NET were secure, which is >> currently not planned). > > It's not pointless. Validating the priming response requires two > operations. The first of these is checking the signature over the root > zone's NS RRset. Which won't be returned unless the DO bit is set. > [Let's avoid the rat-hole of a DNSSEC-aware resolver iteratively > querying for DNSKEYs, RRSIGs and so on.]
I'm not sure this narrow perspective is helpful. Given the amount of work required to validate the priming response (which resolvers aren't required to do until they see a client query for ./IN/NS, similar to what happens with all the other NS RRsets), it really doesn't matter if you send a DO=0 query first, to get the addresses (in the additional section), and then a DO=1 query, to get the signature on the NS RRset (in the answer section). -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
