> On 4 Apr 2018, at 2:30 pm, Geoff Huston <g...@apnic.net> wrote: > > > >> >> No. Below is self contradictory. Condition 1 requires that >> CD=1 be turned into CD=0 and condition 3 requires that no special >> processing happens for CD=1. >> >> How CD is handled determines what you are testing when you have >> resolvers in series. >> >> Do you want CD=1 to disable special processing? > > yes > >> Do you want to only test the first validator? > > yes > >> Do you want to test the entire chain? > > no > >> Do you want consistency? > > err, umm - yes? (is this a trick question? :-) ) > >> >> All the scenarios need to be worked through remembering that there >> is a cache that may be populated. >> > > > Mark, would it help if the phrase “regardless of whether DNSSSEC validation > was requested.” > was removed? > > i.e.: > > > All of the following conditions must be met to trigger special > processing inside resolver code: > > o The DNS response is DNSSEC validated > > o The result of validation is “Secure”. > > o The Checking Disabled (CD) bit in the query is not set. > > o The QTYPE is either A or AAAA (Query Type value 1 or 28). > > o The OPCODE is QUERY. > > o The leftmost label of the original QNAME (the name sent in the > Question Section in the original query) is either "root-key- > sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”. > > > Geoff
I think that is the way to go. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
