> On 4 Apr 2018, at 11:17 am, Geoff Huston <g...@apnic.net> wrote: > >> On 4 Apr 2018, at 10:59 am, Mark Andrews <ma...@isc.org> wrote: >> >> >>> On 4 Apr 2018, at 10:28 am, Geoff Huston <g...@apnic.net> wrote: >>> >>> I thought that if the query contained CD = 1 then the DNS response >>> would not be validated, >> >> This ONLY applies if the answer is NOT ALREADY CACHED. If the answer >> is already cached then CD=1 queries will get this processing as the >> answer returned from the cache will be “secure” or “insecure” depending >> on ealier validation. If you don’t want CD=1 queries to get this processing >> you need to explicitly exclude it. You can’t depend on the answer NOT being >> cached. >> > > Mark, > > If I understand you correctly, then the preconditions need to include > an explicit provision that the CD bit is not set. > > Does the following wording work for you?
No. Below is self contradictory. Condition 1 requires that CD=1 be turned into CD=0 and condition 3 requires that no special processing happens for CD=1. How CD is handled determines what you are testing when you have resolvers in series. Do you want CD=1 to disable special processing? Do you want to only test the first validator? Do you want to test the entire chain? Do you want consistency? All the scenarios need to be worked through remembering that there is a cache that may be populated. > All of the following conditions must be met to trigger special > processing inside resolver code: > > o The DNS response is DNSSEC validated, regardless of whether > DNSSSEC validation was requested. > > o The result of validation is “Secure”. > > o The Checking Disabled (CD) bit in the query is not set. > > o The QTYPE is either A or AAAA (Query Type value 1 or 28). > > o The OPCODE is QUERY. > > o The leftmost label of the original QNAME (the name sent in the > Question Section in the original query) is either "root-key- > sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”. > > > regards, > > Geoff > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
