On Tue, 17 Nov 2015, Mark Andrews wrote:
A DNS query that contains the CHAIN option MUST also have the DNSSEC OK ("OK") bit set. If this bit is not set, or if the Checking Disabled ("CD") bit is set, the CHAIN option received MUST be ignored.Why disabled on CD=1? If you have the contents cached and validated already what does it hurt to send the trust chain? If you don't have a element of the trust chain you can still fetch it and return it unvalidated just using the signer names.
If you ask for www.toronto.redhat.com with CD=1 and redhat.com's RRSIG's are missing, do you still traverse down the chain to www.toronto.redhat.com? Also, the upstream resolver might not want to serve any data below it. How could it fetch a (bogus) chain for the answer without mixing up these known bad records in its cache? I thought it better to just not support it. But I could be convinced otherwise. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
