On Wed, Apr 2, 2014 at 2:40 PM, Mark Andrews <ma...@isc.org> wrote: > > I don't think this makes much sense for a coherent resolver. If I were > > writing a resolver, the behaviour would instead be; try really hard to > > find a valid response, exhaust every reasonable possibility. If it can't > > get a valid response, then if CD=1 it's ok to pass back the invalid > > response and its supposed signatures - maybe the stub will no better, at > > least fail open. If CD=0, then SERVFAIL, fail closed. > > Guess what, resolvers do not work like that. They are not required > to work like that.
Nothing can compel any particular resolver to choose a particular implementation - but I take note of https://tools.ietf.org/html/rfc6840#section-5.9 and https://tools.ietf.org/html/rfc6840#appendix-B which recommends it (as a "SHOULD") and I generally agree with the good reasoning that's in the RFC. As I wrote, if it were me writing a validating stub resolver, I would always set CD=1 - and when acting as an intermediate resolver, I would always make a reasonable effort to find a validating response, even if CD=0 is on the incoming query. I'm certain that at least one resolver does work like this, and I suspect it's also how Google Public DNS works, based on some experimentation. -- Colm
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
