----- Original Message ----- From: "Dean Anderson" <[EMAIL PROTECTED]>
> How can the response be trusted, if the resolver did not perform > validation? > > "Hi, I'm the president of the United States. See, I've set the 'response > obtained through a secure channel' bit. Surely there is no need to > validate my claim." > I was thinking of the case where a resolver has a secure channel set up with a middlebox resolver that performs validation and sends back the result. The end client could re-do the validation (if it is capable), or could trust the results from the upstream validating resolver. I should have been more clear on that. I am thinking how necessary it is for an application to know if it is dealing with a resolver that cannot perform validation, but uses some other trusted (or untrusted) method of resolving DNS queries. Scott > --Dean > > On Tue, 17 Feb 2004, Scott Rose wrote: > > > First off, I think this draft is long overdue - thanks for publishing it. > > > > I was thinking that there might be a need for passing on the settings of the > > AD/CD bits, or a bit to indicate that the response was obtained through a > > secure channel. So three bits of the array in total: > > > > x AD bit set > > x+1 CD bit set > > x+2 response obtained through a secure channel > > > > I don't know if every application may care about this, but I can imagine a > > response array with the secure channel bit set, the AD bit set, indicating > > it could be trusted, even if the resolver did not perform validation itself. > > > > > > Scott > > > > . > > dnsop resources:_____________________________________________________ > > web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html > > mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html > > > > . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
