On 4.4.2018 07:12, Geoff Huston wrote: >>> >>> >>> All of the following conditions must be met to trigger special >>> processing inside resolver code: >>> >>> o The DNS response is DNSSEC validated >>> >>> o The result of validation is “Secure”. >>> >>> o The Checking Disabled (CD) bit in the query is not set. >>> >>> o The QTYPE is either A or AAAA (Query Type value 1 or 28). >>> >>> o The OPCODE is QUERY. >>> >>> o The leftmost label of the original QNAME (the name sent in the >>> Question Section in the original query) is either "root-key- >>> sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”. >>> >>> >>> Geoff >> >> I think that is the way to go. >> > > Mark, thanks for your patience with my evident cluelessness!
The list of preconditions above is exactly what I meant but did not manage to explain why it is necessary. Thank you very much for hashing it out. My apologies to dnsop and especially Geoff and Paul, I started this avalanche and then did not follow up. Mea culpa! -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop