Hi! I have concerns about the resolver replacing A/AAAA records in signed zones as it breaks validation.
If a resolver understanding ANAME is queried using the DO=1 flag it shouldn't touch the A/AAAA records, because it already knows the requestor would through them away. This also means a caching resolver should store the original A/AAAA records (and not the ones resolved through ANAME) in the cache. With this change I don't think it makes sense to say "a resolver MUST re-query", I'd use "a resolver SHOULD re-query if it didn't use ECS and the query didn't use DO=1". But I'd add "a resolver MUST include ANAME RRset in respones to queries for A/AAAA". cheers, Stefan _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop