I think I'm okay with "resolvers SHOULD send DO when priming." Seems like BIND and Unbound already do this.
Do we also need to say that the resolver SHOULD/MUST retry with DO=0 if there is no response to the first priming query? The more important question may be: what shall the resolver do if validation of the priming response fails? I'm skeptical that we, as a group, will be willing to say that the resolver should refuse to forward any queries to a root unless validation succeeds. DW > On Jan 21, 2016, at 7:22 PM, Paul Hoffman <[email protected]> wrote: > > In Warren's review of the draft, he says: > > I think that resolvers SHOULD send DO, and should try validate (if it gets > signed responses). This is pointless at the moment, but if / when we end up > with signed root-servers.net (or foo.bar) it would be nice if the right > things were already being done. > > This seems like a good start for a discussion. > > --Paul Hoffman > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
