On Apr 30, 2020, at 8:17 AM, Ted Lemon <[email protected]> wrote: > > On Apr 29, 2020, at 11:38 PM, Brian Somers <[email protected]> wrote: >> Furthermore, the CNAME alias RRset must be validated unless the CD bit is >> set. >> A validating resolver MUST validate and can only return RRsets if they are >> proven >> to be either insecure or secure. If the aliased RRset is bogus, the answer >> is >> SERVFAIL. > > Ah. I like this answer. Is there a place where this is stated in the RFC that > we can point to? >
I would say RFC 4035 sections 4.2 and 4.3 say this. Section 5.5 re-iterates that SERVFAIL should be sent if signatures don’t validate. — Brian _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
