On 03/18/2018 09:44 PM, Petr Špaček wrote: > The current text in section 5 is written with an assumption that query > with +CD bit cannot result in "Secure" status and thus cannot trigger > sentinel processing, but this depends on implementation.
I just want to note that this situation of answering +cd queries by validated cached RRs isn't very implementation-specific. One way to come to this: it seems generally desirable to have aggressive caching (rfc8198) on forwarders, due to serving as a cache shared by multiple resolvers, and validating resolvers tend to use +cd to query the forwarders (rfc4035#section-3.2.2). --Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop