On Tue, Jul 10, 2012 at 10:21:59AM +1000, Mark Andrews wrote: > CD=1 in Section 5.9 of draft-ietf-dnsext-dnssec-bis-updates. Making > CD=0 queries forces the recursive server to try multiple authoritative > servers until it gets a answer which validates or it exhausts the > available authoritative servers and retries.
I think your analysis shows that there is a possible issue here, but it seems to me this could be corrected just as well if the validating recursive server validates anyway on CD=1, and tries an additional authoritative server until it gets the answer that validates; however, if it exhausts them and can't validate, then instead of failing it passes on the answer it got. (As an optimization for speed: it passes on the first answer it got, whatever the validation state, but then proceeds with its own validation attempts before filling its cache.) As near as I can tell, this way of proceeding is still perfectly compliant. CD=1 can't override local policy at the recursive resolver; it can only direct the server about how to respond in case of validation failure. Best, A -- Andrew Sullivan [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
