This is an interesting proposal, but it should instead be sent to the ADD WG, given that RFC 9606 and friends came from there, not DNSOP.
--Paul Hoffman On Sep 11, 2024, at 05:36, Stephane Bortzmeyer <[email protected]> wrote: > > In the current registry for DNS Resolver Information Keys (RFC 9606), > there is no key to indicate that the resolver validates with > DNSSEC. For me, it is an important criterion to evaluate a resolver. > > I am thinking about asking for a registration. Policy for this > registry is "specification required". Before I start writing one, I > ask your advice. Is it a good idea? Will managers of resolvers use it? > Or do we assume that any serious resolver validates anyway? > > Short proposal for the specification: > > dnssecval: The presence of this key indicates that the DNS resolver > validates all answers with DNSSEC [RFC4033][RFC4034][RFC4035]. Note > that, per the rules for the keys defined in Section 6.4 of [RFC6763], > if there is no '=' in a key, then it is a boolean attribute, simply > identified as being present, with no value. > > (And advise that exterr should then include the EDE for DNSSEC?) _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
