Vladimír Čunát <vladimir.cunat+i...@nic.cz> writes: > On 09/02/2022 22.41, Wes Hardaker wrote: > > So I've re-arranged things a bit to hopefully address the flow better. > Let em know if you think further improvements are warranted. > > I'd still probably suggest at least a minimalist change like: > -Note that a validating resolver MUST still validate the signature > +Note that a validating resolver returning an insecure response MUST still > validate the > signature > > But to me it's certainly not a big deal. (Though not changing this would > mean that > formally I wouldn't be exactly following the RFC.)
I think there seems to be consensus about this, so I implemented your change. I think it's actually best to be as clear as possible as what's acceptable. IE, you shouldn't be trying to find hidden loopholes. So I added this: Validating resolvers MAY choose to not respond to NSEC3 records with iterations larger than 0. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
