> On 3 Apr 2018, at 11:42 pm, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > > On 3 Apr 2018, at 1:34, Geoff Huston wrote: > >> I’ll remove the condition then. > > Will you re-instate what Petr asked for, namely some wording that indicates > that the resolver has to do DNSSEC validation on what it gets back from the > authoritative server *regardless* of whether the originating client requests > it? Without that, it is unclear what a resolver should do. >
Hi Paul, (You should colour me as still confused!) Is the wording “that the resolver has to do DNSSEC validation on what it gets back from the authoritative server *regardless* of whether the originating client requests it?” a clarification that updates the validation behaviours as specified in RFC4035 and RFC6840 as to when a security aware resolver performs validation? Or merely a clarification of the precondition in the context of the sentinel behaviour but of no wider import? thanks, Geoff _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop