>> 
>> The current text in -09 reads: 
>> 
>>  The DNS response is DNSSEC validated, regardless of whether 
>>  DNSSSEC validation was requested, and result of validation is       
>>  “Secure”
>> 

After discussing this with Warren and Joao I’d like to propose a slightly 
different wording to the WG. The proposed wording is:


        All of the following conditions must be met to trigger special
        processing inside resolver code:

            The DNS response is DNSSEC validated

            The result of validation is "Secure"

            The AD bit is to be set in the response

            The QTYPE is either A or AAAA (Query Type value 1 or 28)

            The OPCODE is QUERY

            The leftmost label of the original QNAME (the name sent in the
            Question Section in the orignal query) is either
            "root-key-sentinel-is-ta-<key-tag>" or
            "root-key-sentinel-not-ta-<key-tag>"

        If any one of the preconditions is not met, the resolver MUST NOT
        alter the DNS response based on the mechanism in this document


What was concerning me was that the wording in -09 could be mis-interpreted to 
be subtly altering the preconditions for a resolver to perform validation, and 
that's best left to the mainstream DNSSEC specification documents. If there are 
any lingering uncertainties as to when and why a resolver performs DNSSEC 
validation and communicates the outcome in a response, I think that they are 
best resolved in a focussed discussion on the preconditions for DNSSEC 
validation rather than obliquely in this sentinel draft. Hence the proposed 
text above, that simply says that the AD bit is set in the response. 

The other change I’m proposing is one of consistency - the -09 text had 
proposed two conditions in one sentence than enumerated a further three 
conditions. I felt it was more consistent to explicitly enumerate all 
conditions.

Are there any objections from the WG to integrating this change and pushing out 
a -10 version of this draft?

regards,

   Geoff



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to