> On 31 Oct 2017, at 18:39, Stephen Farrell <[email protected]> wrote: > > > Hiya, > > On 31/10/17 15:12, Paul Hoffman wrote: >> On 31 Oct 2017, at 8:06, Sara Dickinson wrote: >> >>> So maybe “A DNSSEC validating client SHOULD apply the same validation >>> policy to the A/AAAA meta-query lookup as it does to other queries.”? >> >> That could be misinterpreted to indicate that there has to be some >> positive validation policy. How about: >> A DNSSEC validating client SHOULD apply the same validation policy >> to the A/AAAA meta-query lookup as it does to other queries. >> A client that does not validate DNSSEC SHOULD apply any policy it >> has to the A/AAAA meta-query lookup. > > So I think either of the above could be ok. > > The main thing for me is that we do not insist that a server > has to get DNSSEC setup before they can do opportunistic DNS > security. I think the above is ok in that respect. > > Just checking: I think that means that with the opportunistic > profile, only servers that have DNSSEC setup and where the > client validates and gets a badly signed response would be > affected, all other cases would still get DNS privacy of some > sort. If that's right, I can live with it.
Correct. For opportunistic the use case where the client might get no DNS service is where the client is - configured with ONLY an authentication domain name (no IP address) - DNSSEC validating and configured to reject BOGUS records (all others accepted) - receives BOGUS answers for all configured name servers Sara.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
