On Sun, 3 Apr 2016, [email protected] wrote:
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dnssec-roadblock-avoidance-04
The new text states:
If the resolver is labeled as "Validator" or "DNSSEC aware"
Send query through this resolver and perform local
validation on the results.
If validation fails, try the next resolver
Else if the resolver is labeled "Not a DNS Resolver" or
"Non-DNSSEC capable"
Mark it as unusable and try next resolver
Else if no more resolvers are configured and if direct queries
are supported
1. try iterating from Root
2. If the answer is SECURE/BOGUS:
Return the result of the iteration
3. If the query is INSECURE:
Re-query "Non-DNSSEC capable" servers and return
answers from them w/o the AD bit set to the client.
This will increase the likelihood that spit-view unsigned
answers are found.
Else return an useful error code
Should item 3. be "if the answer is INSECURE" instead of "If the query is
INSECURE" ?
And should it be "w/o the DO and AD bit set" instead of "w/o the AD bit set" ?
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
