Re: [dnsext] caches, validating resolvers, CD and DO

Alex Bligh <alex@alex.org.uk> Wed, 30 March 2011 06:40 UTC

Return-Path: <alex@alex.org.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F2FF28C0D7 for <dnsext@core3.amsl.com>; Tue, 29 Mar 2011 23:40:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.482
X-Spam-Level:
X-Spam-Status: No, score=-2.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbmkC9Z8S5u1 for <dnsext@core3.amsl.com>; Tue, 29 Mar 2011 23:40:56 -0700 (PDT)
Received: from mail.avalus.com (mail.avalus.com [89.16.176.221]) by core3.amsl.com (Postfix) with ESMTP id 6C0B23A6B11 for <dnsext@ietf.org>; Tue, 29 Mar 2011 23:40:56 -0700 (PDT)
Received: from [172.20.10.2] (87-194-71-186.bethere.co.uk [87.194.71.186]) by mail.avalus.com (Postfix) with ESMTPSA id A3F16C560C5; Wed, 30 Mar 2011 07:42:33 +0100 (BST)
Date: Wed, 30 Mar 2011 07:42:32 +0000
From: Alex Bligh <alex@alex.org.uk>
To: Mark Andrews <marka@isc.org>, dnsext@ietf.org
Message-ID: <0CAE569785C163CFE87B957E@nimrod.local>
In-Reply-To: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org>
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 06:40:57 -0000

--On 30 March 2011 17:23:35 +1100 Mark Andrews <marka@isc.org> wrote:

> When these do not validate or SERVFAIL is returned, the validating
> resolver should then re-issue the query with CD set and a EDNS
> option indicating which upstream servers have been tried.

Why "should"? Effectively the validating resolver is handing off
DNSSEC validation to the upstream server here isn't it? It might not
want to trust the upstream server, particularly if it's already
got records that don't validate.

-- 
Alex Bligh