When resolving with DNSSEC-trigger on Comcast's network DNSSEC-Trigger
acts like forwarding stub-validator.
For it to be happy when there is a NTA in place, the upstream resolvers
MUST return to it the non validatable RRSIG (if they exist).
The current draft is silent on the behavior of the validating resolver
as if it returns the answers with RRSIG's or without.
The reason for this is if NTA strips signatures the stub-validator
thinks it is under attack and may
a) go into recursive mode to try to resolve the domain, getting to the
right answer the long way.
b) Give the wrong error "Missing signatures" instead of the real error.
If all the validator does is not to set the AD bit for RRsets at and
below the NTA, stub-resolvers (and cascading resolvers) should be happy.
Olafur
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
