At 15:01 13/01/2010, Alex Bligh wrote:
--On 13 January 2010 13:19:30 -0500 Olafur Gudmundsson <o...@ogud.com> wrote:
Going forward I think this is a bad recommendation. I would like to
propose that the document take the plunge of recommending that
modern DNSSEC capable resolvers perform the priming query over TCP.
...
By making this change section 2.4 can be dropped, the one
on not asking for signed answers.
Not sure I agree.
I think there is a good case to be made that IF the DO bit is set,
THEN the response SHOULD be made over TCP, but you are asking
that even non DNSSEC capable resolvers which would query with
DO clear make queries over TCP; in these instances the response
packet would be much smaller.
DNSSEC compliance requires ENDS0 see RFC4035 section 4.1 and 3.
Why not ask for signatures ?
Paranoid Validating Resolver will need them to make sure the
glue is not forged in particular if the answer over the wire different
from what the validator was bootstrapped with.
With DNSSEC validation you can ignore what section answer came from
if you can create a trust chain to the data.
Olafur
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
