In your previous mail you wrote: > But, yes, you're correct -- diagnostic information included with a > SERVFAIL is about as trustworthy as the AD bit, and in the absence of an > authentication mechanism such as TSIG, clients should not rely on it or > base policy on it.
=> TSIG can be in a response only if the query is signed... Regards francis.dup...@fdupont.fr PS: I remember a similar operation vs security trade-off about IKEv2 NOTIFY messages: in some cases it is better to get unsecure information than no information at all because security is required. BTW in the case of this proposal it is second order because the real/main error is the SERVFAIL (or others but after a short study of bind9 code the first time this idea was proposed it should be at 90% or more SERVFAILs). _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
