>>
>> The current text in -09 reads:
>>
>> The DNS response is DNSSEC validated, regardless of whether
>> DNSSSEC validation was requested, and result of validation is
>> “Secure”
>>
After discussing this with Warren and Joao I’d like to propose a slightly
different wording to the WG. The proposed wording is:
All of the following conditions must be met to trigger special
processing inside resolver code:
The DNS response is DNSSEC validated
The result of validation is "Secure"
The AD bit is to be set in the response
The QTYPE is either A or AAAA (Query Type value 1 or 28)
The OPCODE is QUERY
The leftmost label of the original QNAME (the name sent in the
Question Section in the orignal query) is either
"root-key-sentinel-is-ta-<key-tag>" or
"root-key-sentinel-not-ta-<key-tag>"
If any one of the preconditions is not met, the resolver MUST NOT
alter the DNS response based on the mechanism in this document
What was concerning me was that the wording in -09 could be mis-interpreted to
be subtly altering the preconditions for a resolver to perform validation, and
that's best left to the mainstream DNSSEC specification documents. If there are
any lingering uncertainties as to when and why a resolver performs DNSSEC
validation and communicates the outcome in a response, I think that they are
best resolved in a focussed discussion on the preconditions for DNSSEC
validation rather than obliquely in this sentinel draft. Hence the proposed
text above, that simply says that the AD bit is set in the response.
The other change I’m proposing is one of consistency - the -09 text had
proposed two conditions in one sentence than enumerated a further three
conditions. I felt it was more consistent to explicitly enumerate all
conditions.
Are there any objections from the WG to integrating this change and pushing out
a -10 version of this draft?
regards,
Geoff
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
