> On 3 Apr 2018, at 1:10 pm, Mark Andrews <ma...@isc.org> wrote:
> 
> Do we really want to test for AD?  How many stub resolvers set DO or AD to 
> elicit a AD response?
> 

I’m not sure that we are on the same page here. The precondition is: "The AD 
bit is to be set in the response”  i.e. it is not a test on the query per se - 
it is a test on the response. Your comment appears to suggest that you believe 
that the text is asking for a test on the query. That is definitely not the 
intention of the text. i.e. it does not attempt to say what combination of 
flags in the query is used to signal that validation is to be applied (thats 
the role of RFC4035 and RFC6840), but the text is attempting to say “if the 
resolver has validated the response and is passing back a response that it is 
marking as being valid” then perform <actions>

I felt that saying that:

   o  The DNS response is DNSSEC validated

   o  the result of validation is "Secure"

   o  the AD bit is to be set in the response

would encompass this state. 

Is there a better way of saying this? Please suggest text if you believe that 
this could be stated more accurately.

thanks,

   Geoff



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to