On 3 Apr 2018, at 13:45, Geoff Huston wrote:
Is the wording “that the resolver has to do DNSSEC validation on what it gets back from the authoritative server *regardless* of whether the originating client requests it?” a clarification that updates the validation behaviours as specified in RFC4035 and RFC6840 as to when a security aware resolver performs validation? Or merely a clarification of the precondition in the context of the sentinel behaviour but of no wider import?
The latter. Otherwise, someone reading the document might not understand that the response must be validated no matter what.
--Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
