What is fuzzy? AD (and DO) says set the AD bit if the appropriate rrsets have all been validated as secure. CD says if you recurse to answer this query do not validate the answer. There is no you must recurse to answer this query or you must ignore previous validation results if CD is set. The two bits are not mutually exclusive. The two bits do not modify the behaviour of the other.
If the conditions for setting AD in the response are met then it should be set. -- Mark Andrews > On 25 Jun 2018, at 23:23, Petr Špaček <petr.spa...@nic.cz> wrote: > > Hello dnsop, > > it seems to me that recursive resolver behavior for queries with AD + CD > bits set at the same time is a bit fuzzy and I want to check what > opinions WG participants have: > > My understanding of > https://tools.ietf.org/html/rfc6840#section-5.8 > https://tools.ietf.org/html/rfc4035#section-3.2.3 > is that answer to query with `AD + CD` can have AD set if the answer is > comming from from resolver's cache (assuming the answer was stored into > cache while processing query *without* CD bit set). > > What do you think? > Do you see any operational impact if the AD is OR is not set in answers > with CD set? > > Thanks. > > -- > Petr Špaček @ CZ.NIC > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
