Moin! On 17.04.2012, at 09:29, Olafur Gudmundsson wrote: > When resolving with DNSSEC-trigger on Comcast's network DNSSEC-Trigger acts > like forwarding stub-validator. > For it to be happy when there is a NTA in place, the upstream resolvers MUST > return to it the non validatable RRSIG (if they exist). > > The current draft is silent on the behavior of the validating resolver as if > it returns the answers with RRSIG's or without. > > The reason for this is if NTA strips signatures the stub-validator thinks it > is under attack and may > a) go into recursive mode to try to resolve the domain, getting to the right > answer the long way. > b) Give the wrong error "Missing signatures" instead of the real error. > > If all the validator does is not to set the AD bit for RRsets at and below > the NTA, stub-resolvers (and cascading resolvers) should be happy.
That's exactly what at least our implementation (Nominum Vantio) that Comcast uses does and I agree that this behavior should be specified in the draft. So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 ralf.we...@nominum.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
