In your letter dated Tue, 28 Mar 2017 19:23:16 +0200 you wrote: >On 28 Mar 2017, at 12:37, Philip Homburg wrote: > >> So if would be best if a validator that implements MD5 would still >> return >> NXDOMAIN is validation fails, but would keep the AD-bit clear even if >> validation >> passes for a domain signed using MD5. > >In the interest of nitpick correctness, please return SERVFAIL there, >not NXDOMAIN :)
Indeed. Though if somebody is foolish enough to sign with MD5, maybe they should get a NXDOMAIN :-) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
