>
> No. Below is self contradictory. Condition 1 requires that
> CD=1 be turned into CD=0 and condition 3 requires that no special
> processing happens for CD=1.
>
> How CD is handled determines what you are testing when you have
> resolvers in series.
>
> Do you want CD=1 to disable special processing?
yes
> Do you want to only test the first validator?
yes
> Do you want to test the entire chain?
no
> Do you want consistency?
err, umm - yes? (is this a trick question? :-) )
>
> All the scenarios need to be worked through remembering that there
> is a cache that may be populated.
>
Mark, would it help if the phrase “regardless of whether DNSSSEC validation was
requested.”
was removed?
i.e.:
All of the following conditions must be met to trigger special
processing inside resolver code:
o The DNS response is DNSSEC validated
o The result of validation is “Secure”.
o The Checking Disabled (CD) bit in the query is not set.
o The QTYPE is either A or AAAA (Query Type value 1 or 28).
o The OPCODE is QUERY.
o The leftmost label of the original QNAME (the name sent in the
Question Section in the original query) is either "root-key-
sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”.
Geoff
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
