On 11/18/20 1:36 AM, Phil Pennock wrote: > Double-check: in such a scenario, if the request is for the recursive to > validate DNSSEC and this zone is not opt-out, then the recursive would > HAVE to get the data from the child, because the parent won't have RRSIG > records for the glue NS, right? > [...]
I believe the requirements are stronger and a server may never put parent-side data into ANSWER section. Validation can help in the sense that if it succeeds, it doesn't matter where the data came from. The best reference is probably rfc2181 5.4.1 again: > Unauthenticated RRs received and cached from the least trustworthy of > those groupings, that is data from the additional data section, and > data from the authority section of a non-authoritative answer, should > not be cached in such a way that they would ever be returned as > answers to a received query.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
