On Tue, Apr 3, 2018 at 12:13 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > On 2 Apr 2018, at 17:05, George Michaelson wrote: > >> RFC4035 section 3.2 looks like it has usable words surely? > > > Maybe I'm an idiot, but I see no definition of "validating resolver" there.
ok. So what is the 'resolver side' of a 'security aware' nameserver in 3.2, 3.2.1, 3.2.2, 3.2.3 and 4? You're not an idiot. I make many inferential leaps which aren't subsequently justified, but it felt to me like the definitional language around security aware went to validation. > >> not from those words, but in my personal opinion, Any resolver which >> is able to understand and apply the semantic context of DNSSEC >> signatures over RR should be considered a validating resolver. >> However, a validating resolver may also be seen NOT to perform >> validation because it receives queries with the CD bit set. Therefore, >> you cannot say that all queries through a validating resolver >> necessarily demonstrate it is capable of validating. Its not entirely >> subject to external views of its behaviour without the full context of >> what was in the query received. > > > Errr, could you give that specific words that you would want to replace the > current definition? I think we're a bit of a way off that stage Paul. If you don't think its defined in an RFC, we're "inventing things" and I always feel very nervous about that. -G > > --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
