Hi Stephane,
> On Jan 8, 2016, at 12:48 PM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote:
>
> On Wed, Dec 09, 2015 at 12:27:33PM -0800,
> internet-dra...@ietf.org <internet-dra...@ietf.org> wrote
> a message of 39 lines which said:
>
>> Title : The EDNS Key Tag Option
>> Author : Duane Wessels
>> Filename : draft-ietf-dnsop-edns-key-tag-00.txt
>
> 5.2.1 says: "If the client included the DO and Checking Disabled (CD)
> bits, but did not include the edns-key-tag option in the query, the
> validating recursive resolver MAY include the option with its own Key
> Tag values in full."
>
> I do not understand why.
This is a consequence using RFC 6975 ("Signaling Cryptographic Algorithm
Understanding")
as a starting point for this draft. It has similar language.
> If the client sends DO and CD, it means the
> server won't validate and therefore "its own Key Tag values" is
> irrelevant, it won't be the keys used for validation.
>
> [Generally speaking, I think it complicated the protocol for little or
> zero gain. The key tags should be added by the one who validates,
> period.]
Can you propose some specific text?
Are you saying that in this case if the client sets CD then the
validating recursive should not include its key tags?
DW
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
