Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD

[Geoff Huston <gih@apnic.net>]

> 
> No.  Below is self contradictory. Condition 1 requires that
> CD=1 be turned into CD=0 and condition 3 requires that no special
> processing happens for CD=1.
> 
> How CD is handled determines what you are testing when you have
> resolvers in series.
> 
> Do you want CD=1 to disable special processing?

yes

> Do you want to only test the first validator?

yes

> Do you want to test the entire chain?

no

> Do you want consistency?

err, umm - yes? (is this a trick question? :-) )

> 
> All the scenarios need to be worked through remembering that there
> is a cache that may be populated.
> 


Mark, would it help if the phrase “regardless of whether DNSSSEC validation was requested.” 
was removed?

i.e.:


 All of the following conditions must be met to trigger special
 processing inside resolver code:

 o  The DNS response is DNSSEC validated

 o  The result of validation is “Secure”.

 o  The Checking Disabled (CD) bit in the query is not set.

 o  The QTYPE is either A or AAAA (Query Type value 1 or 28).

 o  The OPCODE is QUERY.

 o  The leftmost label of the original QNAME (the name sent in the
    Question Section in the original query) is either "root-key-
    sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”.


Geoff