In the current registry for DNS Resolver Information Keys (RFC 9606), there is no key to indicate that the resolver validates with DNSSEC. For me, it is an important criterion to evaluate a resolver.
I am thinking about asking for a registration. Policy for this registry is "specification required". Before I start writing one, I ask your advice. Is it a good idea? Will managers of resolvers use it? Or do we assume that any serious resolver validates anyway? Short proposal for the specification: dnssecval: The presence of this key indicates that the DNS resolver validates all answers with DNSSEC [RFC4033][RFC4034][RFC4035]. Note that, per the rules for the keys defined in Section 6.4 of [RFC6763], if there is no '=' in a key, then it is a boolean attribute, simply identified as being present, with no value. (And advise that exterr should then include the EDE for DNSSEC?) _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
