>> >> The current text in -09 reads: >> >> The DNS response is DNSSEC validated, regardless of whether >> DNSSSEC validation was requested, and result of validation is >> “Secure” >>
After discussing this with Warren and Joao I’d like to propose a slightly different wording to the WG. The proposed wording is: All of the following conditions must be met to trigger special processing inside resolver code: The DNS response is DNSSEC validated The result of validation is "Secure" The AD bit is to be set in the response The QTYPE is either A or AAAA (Query Type value 1 or 28) The OPCODE is QUERY The leftmost label of the original QNAME (the name sent in the Question Section in the orignal query) is either "root-key-sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>" If any one of the preconditions is not met, the resolver MUST NOT alter the DNS response based on the mechanism in this document What was concerning me was that the wording in -09 could be mis-interpreted to be subtly altering the preconditions for a resolver to perform validation, and that's best left to the mainstream DNSSEC specification documents. If there are any lingering uncertainties as to when and why a resolver performs DNSSEC validation and communicates the outcome in a response, I think that they are best resolved in a focussed discussion on the preconditions for DNSSEC validation rather than obliquely in this sentinel draft. Hence the proposed text above, that simply says that the AD bit is set in the response. The other change I’m proposing is one of consistency - the -09 text had proposed two conditions in one sentence than enumerated a further three conditions. I felt it was more consistent to explicitly enumerate all conditions. Are there any objections from the WG to integrating this change and pushing out a -10 version of this draft? regards, Geoff _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop