> On 3 Apr 2018, at 11:42 pm, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
> 
> 
> On 3 Apr 2018, at 1:34, Geoff Huston wrote:
> 
>> I’ll remove the condition then.
> 
> Will you re-instate what Petr asked for, namely some wording that indicates 
> that the resolver has to do DNSSEC validation on what it gets back from the 
> authoritative server *regardless* of whether the originating client requests 
> it? Without that, it is unclear what a resolver should do.
> 


Hi Paul,

(You should colour me as still confused!)

Is the wording “that the resolver has to do DNSSEC validation on what it gets 
back from the authoritative server *regardless* of whether the originating 
client requests it?” a clarification that updates the validation behaviours as 
specified in RFC4035 and RFC6840 as to when a security aware resolver performs 
validation? Or merely a clarification of the precondition in the context of the 
sentinel behaviour but of no wider import?


thanks,

   Geoff

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to