> On 3 Apr 2018, at 5:38 pm, Mark Andrews <ma...@isc.org> wrote: > > AD is only set or potentially set in the response if DO or AD is set on the > query. > > The condition boils down to testing for AD or DO in the query because the > answer needs to be secure and there can’t be a CNAME or DNAME pointing to it. > About the only way it to not have a AD would be for there to be a CNAME and > the target be insecure based on the other conditions. > > I would just remove the condition. >
Thanks Mark. I had just posted a followup before seeing your response. I’ll remove the condition then. Geoff _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
