First off, I think this draft is long overdue - thanks for publishing it. I was thinking that there might be a need for passing on the settings of the AD/CD bits, or a bit to indicate that the response was obtained through a secure channel. So three bits of the array in total:
x AD bit set x+1 CD bit set x+2 response obtained through a secure channel I don't know if every application may care about this, but I can imagine a response array with the secure channel bit set, the AD bit set, indicating it could be trusted, even if the resolver did not perform validation itself. Scott . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
