On 14/09/17 18:02, Geoff Keating via Public wrote: > the domain's zone does not have a DNSSEC validation chain to the > ICANN root. > > I suggest replacing the last item with “the record being looked up is > classified as ‘Insecure’ under RFC 4035 section 4.3, as amended.”
Section 4.3 begins: "A security-aware resolver MUST be able to determine whether it should expect a particular RRset to be signed." and then explains how to so determine. And this seems to me to be exactly what we want to determine. So, for me, that makes this change clear and understandable. And one would hope that it's well-defined, unless parts of how DNSSEC works are not well-defined (surely not!). Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
