[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNSSECbis Q-16: Security-aware recursive name server behavior when CD=1 and DO=0
- To: Namedroppers Mailing List <namedroppers@ops.ietf.org>
- Subject: DNSSECbis Q-16: Security-aware recursive name server behavior when CD=1 and DO=0
- From: Matt Larson <mlarson@verisign.com>
- Date: Thu, 21 Aug 2003 09:30:09 -0400
- User-agent: Mutt/1.5.4i
This question corresponds to editors' note #14 from
draft-ietf-dnsext-dnssec-protocol-01. (Note: DNSSECbis Q-15
incorrectly claimed to correspond to editors' note #14. Q-15 actually
corresponds to editors' note #15.)
Q-16: What should a security-aware recursive name server do if it
receives a query with CD=1 and DO=0?
Background: Here is the text in question from Section 4.1 (page 23) of
draft-ietf-dnsext-dnssec-protocol-01:
The name server side of a security-aware recursive name server MUST
pass the sense of the CD bit to the resolver side along with the rest
of an initiating query, so that the resolver side will know whether
whether or not it is required to verify the response data it returns
to the name server side.
Suggested additional text:
The sense of the CD bit is only considered when a query also has
the DO bit set. A security-aware recursive name server MUST ignore
the sense of the CD bit if the DO bit is not set.
Please comment on the suggested text.
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>