> On 22 Feb 2022, at 10:29 pm, Vladimír Čunát <vladimir.cunat+i...@nic.cz> > wrote: > > On 09/02/2022 22.41, Wes Hardaker wrote: >> So I've re-arranged things a bit to hopefully address the flow better. >> Let em know if you think further improvements are warranted. >> > I'd still probably suggest at least a minimalist change like: > -Note that a validating resolver MUST still validate the signature > +Note that a validating resolver returning an insecure response MUST still > validate the signature
Hi Vladimir, I’m not sure I follow that latter comment relating to "a validating resolver returning an insecure response" - Do you mean: a) - a DNSSEC-validation capable resolver responding to a query that had the CD bit set? b) - a DNSSEC-validation capable resolver responding to a query that had no EDNS(0) extensions at all? c) - a DNSSEC-validation capable resolver responding to a query that received an NSEC record signed with an algorithm, that was not recognised by the resolver? Geoff _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
