> > No. Below is self contradictory. Condition 1 requires that > CD=1 be turned into CD=0 and condition 3 requires that no special > processing happens for CD=1. > > How CD is handled determines what you are testing when you have > resolvers in series. > > Do you want CD=1 to disable special processing?
yes > Do you want to only test the first validator? yes > Do you want to test the entire chain? no > Do you want consistency? err, umm - yes? (is this a trick question? :-) ) > > All the scenarios need to be worked through remembering that there > is a cache that may be populated. > Mark, would it help if the phrase “regardless of whether DNSSSEC validation was requested.” was removed? i.e.: All of the following conditions must be met to trigger special processing inside resolver code: o The DNS response is DNSSEC validated o The result of validation is “Secure”. o The Checking Disabled (CD) bit in the query is not set. o The QTYPE is either A or AAAA (Query Type value 1 or 28). o The OPCODE is QUERY. o The leftmost label of the original QNAME (the name sent in the Question Section in the original query) is either "root-key- sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”. Geoff _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop