On Apr 30, 2020, at 8:17 AM, Ted Lemon <mel...@fugue.com> wrote: > > On Apr 29, 2020, at 11:38 PM, Brian Somers <bsom...@opendns.com> wrote: >> Furthermore, the CNAME alias RRset must be validated unless the CD bit is >> set. >> A validating resolver MUST validate and can only return RRsets if they are >> proven >> to be either insecure or secure. If the aliased RRset is bogus, the answer >> is >> SERVFAIL. > > Ah. I like this answer. Is there a place where this is stated in the RFC that > we can point to? >
I would say RFC 4035 sections 4.2 and 4.3 say this. Section 5.5 re-iterates that SERVFAIL should be sent if signatures don’t validate. — Brian _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
