> On 4 Apr 2018, at 10:59 am, Mark Andrews <ma...@isc.org> wrote: > > >> On 4 Apr 2018, at 10:28 am, Geoff Huston <g...@apnic.net> wrote: >> >> I thought that if the query contained CD = 1 then the DNS response >> would not be validated, > > This ONLY applies if the answer is NOT ALREADY CACHED. If the answer > is already cached then CD=1 queries will get this processing as the > answer returned from the cache will be “secure” or “insecure” depending > on ealier validation. If you don’t want CD=1 queries to get this processing > you need to explicitly exclude it. You can’t depend on the answer NOT being > cached. >
Mark, If I understand you correctly, then the preconditions need to include an explicit provision that the CD bit is not set. Does the following wording work for you? All of the following conditions must be met to trigger special processing inside resolver code: o The DNS response is DNSSEC validated, regardless of whether DNSSSEC validation was requested. o The result of validation is “Secure”. o The Checking Disabled (CD) bit in the query is not set. o The QTYPE is either A or AAAA (Query Type value 1 or 28). o The OPCODE is QUERY. o The leftmost label of the original QNAME (the name sent in the Question Section in the original query) is either "root-key- sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”. regards, Geoff _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop