On Thu, Mar 26, 2009 at 11:50:44AM -0700, Doug Barton wrote: > > So AD doesn't mean "I validated this", but rather "I know this is > > valid". > > That is a pretty large (and I believe unwarranted) leap in logic. > There is a world of difference between "I am authoritative for this > zone" and "I validated a response I got from an authoritative server > and then glued stuff onto it."
So this is indeed the key point of contention. Some argue that the proposed behaviour is completely legal under DNSSEC, for exactly the same reason as, if you obtained a zone by TSIG-secured zone transfer, it would be legal for you to respond with the AD bit set even though you didn't do the validation steps. This question comes down to whether the AD bit is guaranteeing that the data is exactly the data that would be provided by the authority server, or whether it is merely a claim of trustworthiness. If it's the former, and one wants to argue for that, one will need a very strong argument about which parts of the DNSSEC RFCs prove as much. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop