[dns-operations] Added a DO+CD test to genreport and a number of the root servers fail.
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Jun 13 14:23:31 UTC 2018
> On Jun 13, 2018, at 9:21 AM, Mark Andrews <marka at isc.org> wrote:
>
> According to RFC 4035 CD is supposed to be copied to the reply.
Surely these are authoritative replies, and so the requirement
is not in scope:
https://tools.ietf.org/html/rfc4035#section-3.1.6
A security-aware name server does not perform signature validation
for authoritative data during query processing, even when the CD bit
is clear. A security-aware name server SHOULD clear the CD bit when
composing an authoritative response.
[...]
A security-aware name server that supports recursion MUST follow the
rules for the CD and AD bits given in Section 3.2 when generating a
response that involves data obtained via recursion.
--
Viktor.
More information about the dns-operations
mailing list