On Apr 29, 2020, at 7:12 PM, Shumon Huque <[email protected]> wrote: > Mike, perhaps there was some confusion on this point 12 years ago, but > deployed validator code all agree on what the state is. I encourage > implementers to confirm (or correct me if I misstate something).
Absolutely. You only get the AD bit if *ALL* RRs in the Answer & Auth sections are validated as secure. …. > : If you've got an securely insecure (e.g. delegation was to an insecure > : zone at some point) CNAME that points into a secure zone, I would say > : your result is probably Bogus or Unsecure as you haven't any way to > : evaluate trust. I don't think you can bootstrap security this way.. > > Deployed validator code says Insecure.. It can't be Bogus, because the > validator > has determined that the CNAME is a demonstrably insecure zone, Furthermore, the CNAME alias RRset must be validated unless the CD bit is set. A validating resolver MUST validate and can only return RRsets if they are proven to be either insecure or secure. If the aliased RRset is bogus, the answer is SERVFAIL. — Brian _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
