Re: dnssec: resolver - application communication

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "David" == David Blacka <davidb@verisignlabs.com> writes:
    >> If CD=1 will force the security-aware-cachine-resolver to ignore
    >> that it has already failed to get b.example. NS, then great. But,
    >> I haven't experienced this kind of thing in the field.

    David> Failed to get? In your example, I assume that the resolver
    David> *got* b.example NS, but failed to validate it. CD=1 is
    David> supposed to force the security aware resolver to return what
    David> it has, regardless of security status, so if your cache did
    David> not return it, then your cache is broken.  CD=1 means, IIRC,
    David> that the resolver should go fetch it again if it didn't cache
    David> the bogus data (which it probably didn't).

  If I ask:
	c.b.example.	CD=1

  and my resolver fails to validate b.example, does it continue?

  Consider the question again from the point of view of a broken NS
(vs a broken DS).

  The reason I don't want to use CD=1 on all queries is because I don't
actually want the application (containing the stub resolver) the have to
have any crypto or anchors in it at all.  I don't want every application
to have a SASR - I want a central (system) resource to do the work.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQKDbwoqHRg3pndX9AQHINAQA212PscmunaiYI7fAjJ/pN7lk+9m+Aqm3
/HJzLqwH2g+gob2P1zT8/Yoy4f0pXHBNu+hj4Z6g0KkJ9dx0zEU24i8j+DqkBw16
WMOBG1yB1SwMUq48UyO78EEvChJySTvuI0Tua9avr504a0OYGvYT0YZlaZzpzXbz
Fz8qd1Rdtk8=
=BC8b
-----END PGP SIGNATURE-----