> On Oct 2, 2019, at 8:01 AM, Tony Finch <[email protected]> wrote:
>
> Re. EDE 5 indeterminate, RFC 4035 says:
>
> Indeterminate: An RRset for which the resolver is not able to
> determine whether the RRset should be signed, as the resolver is
> not able to obtain the necessary DNSSEC RRs. This can occur when
> the security-aware resolver is not able to contact security-aware
> name servers for the relevant zones.
>
> Is this not also covered by EDE 9 (DNSKEY missing) and EDE 10 (RRSIG
> missing)?
No it is not. The indeterminate state happens when DS RRset lookups
servfail, for the zone or one of its ancestors, this could be a lookup
timeout or a validation issue. So not identical with DNSKEY missing.
> [ I'm still not convinced "indeterminate" is a coherent validation state... ]
It happens when glue NS records are available, but DS RRsets are not.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
