Update to DNSSEC design document.
Alexander Monakov
amonakov@ispras.ru
Thu May 21 08:27:50 GMT 2020
On Thu, 21 May 2020, Petr Špaček wrote:
> In my optinion:
> - AD bit stripping ensures the application can trust the answer (which is
> exactly tu purpose of AD bit).
I don't see how absence of AD bit implies that the application can trust the
answer, and I think you and Rich are talking from different standpoints here.
I apologize if I misunderstand something, but let me summarize in simpler
terms what I imagine is being said:
I think your position is that if the applications sees the AD bit,
then there is some code (in the resolver library, probably) that has already
verified the answer, and would clear the AD bit if it could not be verified.
I think Rich is talking from the standpoint that if the application sees the AD
bit, then an authoritative server has set the AD bit in accordance to RFC 3655
section 2.2 and is thus requesting the recipients to verify it. After seeing the
AD bit, the application should honor the request and verify the answer. Not sure
what API could be used for this purpose.
Again, I am probably missing some very essential details here, and even might be
misrepresenting what either of you said. I think your standpoints are so
different though, it helps to clarify the overall idea before arguing the
details.
Alexander
More information about the Libc-alpha
mailing list