Re: IESG feedback on dnsext-ad-is-secure

[Greg Hudson <ghudson@MIT.EDU>]

On Thu, 2002-06-13 at 08:43, Erik Nordmark wrote:
> 
> > Uh, I'm not quite sure what you're saying here, but this statement makes
> > me a little nervous.  AD=1 means the back end has validated signatures,
> > *and* all the required signatures were present and valid.  AD=0 means
> > the back end has not validated signatures, *or* the required signatures
> > were absent or invalid.  AD doesn't give you a way to determine if the
> > back end is DNSSEC-aware or not, unless you happen to know of a record
> > with a valid signature.

> I've been assuming that 'some of the required signatures are invalid'
> would mean that the data wouldn't be returned to the client.

Er, yes, presumably, since that's what you see if someone tries to spoof
a signed record.  So I should have written:

  AD=0 means the back end has not validated signatures, *or* the
  required signatures were absent.

Whether a recursive resolver should ever be forgiving with Bad data is
perhaps a debatable question, but I don't think it has much to do with
whether the AD bit is a good idea.  The same problem exists even if we
don't give any meaning to AD.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>