> On 4 Apr 2018, at 7:11 am, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
>
> On 3 Apr 2018, at 13:45, Geoff Huston wrote:
>
>> Is the wording “that the resolver has to do DNSSEC validation on what it
>> gets back from the authoritative server *regardless* of whether the
>> originating client requests it?” a clarification that updates the validation
>> behaviours as specified in RFC4035 and RFC6840 as to when a security aware
>> resolver performs validation? Or merely a clarification of the precondition
>> in the context of the sentinel behaviour but of no wider import?
>
> The latter. Otherwise, someone reading the document might not understand that
> the response must be validated no matter what.
So you are saying that the document should revert to the wording:
All of the following conditions must be met to trigger special
processing inside resolver code:
o The DNS response is DNSSEC validated, regardless of whether
DNSSSEC validation was requested.
o The result of validation is “Secure".
o The QTYPE is either A or AAAA (Query Type value 1 or 28).
o The OPCODE is QUERY.
o The leftmost label of the original QNAME (the name sent in the
Question Section in the original query) is either "root-key-
sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”.
(I’ve split the initial condition into two explicit preconditions to be
consistent with the rest of the enumerated list)
Any objections to this from the WG? I’ll wait for 24 hours and then post this
wording as version 11 unless the WG says otherwise
Thanks,
Geoff
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
