works for me, thanks!
Paul
On Wed, Sep 20, 2023 at 7:47 PM Wessels, Duane
wrote:
>
>
> > On Sep 20, 2023, at 2:23 PM, Paul Wouters wrote:
> >
> >
> >>> To prevent such unnecessary DNS traffic, security-aware resolvers
> >>> MUST cache DNSSEC validation failures, with some
> On Sep 20, 2023, at 2:23 PM, Paul Wouters wrote:
>
>
>>> To prevent such unnecessary DNS traffic, security-aware resolvers
>>> MUST cache DNSSEC validation failures, with some restrictions.
>>>
>>> What are these "some restrictions" ?
>>
>> Here our intention is to update
On Tue, 19 Sep 2023, Wessels, Duane wrote:
Section 4.7 of RFC 4035 talks about the “BAD cache” where an implementation can
cache data with invalid signatures. It says:
o Since RRsets that fail to validate do not have trustworthy TTLs,
the implementation MUST assign a TTL. This TTL
> On Sep 6, 2023, at 8:56 PM, Paul Wouters via Datatracker
> wrote:
>
>
> --
> COMMENT:
> --
>
> Thanks for this document and my apologies for being
On Sep 7, 2023, at 19:28, Mark Andrews wrote:
>
>
>
> The server shouldn’t be caching the RRset and it’s RRSIGs unless they validate
> successfully. This is a requirement of DNSSEC. This is also why recursive
> servers need to validate responses so that garbage is not cached.
Ah, so just
> On 7 Sep 2023, at 13:56, Paul Wouters via Datatracker
> wrote:
>
> Paul Wouters has entered the following ballot position for
> draft-ietf-dnsop-caching-resolution-failures-07: Yes
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the
Paul Wouters has entered the following ballot position for
draft-ietf-dnsop-caching-resolution-failures-07: Yes
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please