Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD

[Geoff Huston <gih@apnic.net>]

> On 4 Apr 2018, at 10:59 am, Mark Andrews <marka@isc.org> wrote:
> 
> 
>> On 4 Apr 2018, at 10:28 am, Geoff Huston <gih@apnic.net> wrote:
>> 
>> I thought that if the query contained CD = 1 then the DNS response
>> would not be validated,
> 
> This ONLY applies if the answer is NOT ALREADY CACHED.  If the answer
> is already cached then CD=1 queries will get this processing as the
> answer returned from the cache will be “secure” or “insecure” depending
> on ealier validation.  If you don’t want CD=1 queries to get this processing
> you need to explicitly exclude it.  You can’t depend on the answer NOT being
> cached.
> 

Mark,

If I understand you correctly, then the preconditions need to include
an explicit provision that the CD bit is not set. 

Does the following wording work for you?


  All of the following conditions must be met to trigger special
  processing inside resolver code:

  o  The DNS response is DNSSEC validated, regardless of whether
     DNSSSEC validation was requested.

  o  The result of validation is “Secure”.

  o  The Checking Disabled (CD) bit in the query is not set.

  o  The QTYPE is either A or AAAA (Query Type value 1 or 28).

  o  The OPCODE is QUERY.

  o  The leftmost label of the original QNAME (the name sent in the
     Question Section in the original query) is either "root-key-
     sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”.


regards,

   Geoff