> I have concerns about the resolver replacing A/AAAA records in signed > zones as it breaks validation.
What do you mean by "the resolver" in this case? > If a resolver understanding ANAME is queried using the DO=1 flag it > shouldn't touch the A/AAAA records, because it already knows the > requestor would through them away. It doesn't *know*. DO=1 doesn't mean the client is validating; it means the client understands RRSIG. The draft already advises that ANAME will break validation unless the validator is ANAME-aware or the auth server has access to the zone's private key and can sign responses on the fly. (This suggests to me that the use of ANAME in signed zones will probably be limited at first.) > This also means a caching resolver should store the original A/AAAA > records (and not the ones resolved through ANAME) in the cache. Certainly. > With this change I don't think it makes sense to say "a resolver MUST > re-query", I'd use "a resolver SHOULD re-query if it didn't use ECS and > the query didn't use DO=1". I'm sorry, I'm not getting this. Please explain further, particularly with an expansion of the word "it"? > But I'd add "a resolver MUST include ANAME > RRset in respones to queries for A/AAAA". Yes, I'd been assuming it would. If I forgot to mention it in the draft, I'll fix that. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
