Hiya, On 31/10/17 15:12, Paul Hoffman wrote: > On 31 Oct 2017, at 8:06, Sara Dickinson wrote: > >> So maybe “A DNSSEC validating client SHOULD apply the same validation >> policy to the A/AAAA meta-query lookup as it does to other queries.”? > > That could be misinterpreted to indicate that there has to be some > positive validation policy. How about: > A DNSSEC validating client SHOULD apply the same validation policy > to the A/AAAA meta-query lookup as it does to other queries. > A client that does not validate DNSSEC SHOULD apply any policy it > has to the A/AAAA meta-query lookup.
So I think either of the above could be ok. The main thing for me is that we do not insist that a server has to get DNSSEC setup before they can do opportunistic DNS security. I think the above is ok in that respect. Just checking: I think that means that with the opportunistic profile, only servers that have DNSSEC setup and where the client validates and gets a badly signed response would be affected, all other cases would still get DNS privacy of some sort. If that's right, I can live with it. Cheers, S. > > --Paul Hoffman > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
