Edward Lewis wrote: > > I haven't found the dns64 draft yet, but was involved in the discussion > in 2001 over the AD bit. > > A bunch of people, in the past wrote this stuff: > >>> > So AD doesn't mean "I validated this", but rather "I know this is >>> > valid". > > That is correct. The AD bit isn't a statement of how the server learned > the information but an affirmation that the response meets the server's > security metric.
Ed, As I said, I'm happy to defer to those who know the protocol stuff better than I do, and I think you probably qualify. :) The DNS64 draft is here: http://tools.ietf.org/html/draft-bagnulo-behave-dns64-02 I think that what you're saying above coincides with the "local policy" argument that I made in my first post. If the local validating/translating resolver is satisfied that the prefix it's going to prepend to the answer is valid according to local policy, setting the AD bit is Ok. The fact that it is probably Ok doesn't mean I like it. Of course I still have the tool of setting the CD bit in queries to defeat this if it really matters to me. Doug _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
