On Tue, 8 Apr 2014, Nico Williams wrote:
We should want fail-closed semantics. I very much prefer having a
caching validating local server. I don't mind making people (and
configuration apps) explicitly set a global in /etc/resolv.conf to
disable AD stripping.
After further discussion, it seems that pwouters is okay with AD bit
stripping in stub resolver if it is explicitly requested by a calling
application. (E.g. by special resolver initialization.)
Again, we need fail-closed semantics.
You do if you are _asking_ for it. But you need to ask or else you break
backwards compatibility with a rack of servers using a nearby trusted
resolver.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
