<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 11/18/20 1:36 AM, Phil Pennock
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:X7RsdQfks6uDFp9X@fullerene.field.pennock-tech.net">
<pre class="moz-quote-pre" wrap="">Double-check: in such a scenario, if the request is for the recursive to
validate DNSSEC and this zone is not opt-out, then the recursive would
HAVE to get the data from the child, because the parent won't have RRSIG
records for the glue NS, right?
[...]
</pre>
</blockquote>
<p>I believe the requirements are stronger and a server may never
put parent-side data into ANSWER section. Validation can help in
the sense that if it succeeds, it doesn't matter where the data
came from.</p>
<p>The best reference is probably rfc2181 5.4.1 again:<br>
<blockquote type="cite">
<pre class="newpage"> Unauthenticated RRs received and cached from the least trustworthy of
those groupings, that is data from the additional data section, and
data from the authority section of a non-authoritative answer, should
not be cached in such a way that they would ever be returned as
answers to a received query.</pre>
</blockquote>
<br>
</p>
</body>
</html>