A DNS query that contains the CHAIN option MUST also have the DNSSEC
OK ("OK") bit set. If this bit is not set, or if the Checking
Disabled ("CD") bit is set, the CHAIN option received MUST be
ignored.
Why disabled on CD=1? If you have the contents cached and validated
already what does it hurt to send the trust chain? If you don't
have a element of the trust chain you can still fetch it and return
it unvalidated just using the signer names.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
