There is no requirement to validate every RRset in a response. There can be lots of cruft in there that isn’t validated. Requiring everything to be validated is a recipe to DoS a validator. Validators validate the parts of the responses that are necessary to verify the answer to the question and discard the rest.
You seem to be under the impression that validators pass answers through. They don’t, they deconstruct the answers they receive and reconstruct the answers they send. Even with the best of intentions on everyone’s part one has to do this to prevent accidental cache poisoning. -- Mark Andrews > On 19 Jan 2026, at 23:06, Philip Homburg <[email protected]> wrote: > > >> >>> As far as I know, DNSSEC requires the validator to validate every RRset in >>> the answer and authority sections. It also requires the validator to >>> verify that there is proof of NXDOMAIN or NODATA. However, there doesn't >>> seem any requirement that the validator removes unwanted data. >> >> There is no such requirements. You may be thinking of setting AD=1 >> where the validating resolver is asserting that every RRset in the >> ANSWER and AUTHORITY sections of the response it is producing has >> been validated as secure. >> >> Note AD=1 is only supposed to be accepted if you trust the resolver >> and can verify that the answer as not been tampered with. > > My interpretation is that whether or not a validator returns SERVFAIL only > depends on the CD flag, not on the AD flag. > > So my validator performs the exact same checks whether AD is set or not (and > doesn't check when CD is set). > > The only difference is that at the end if the reply is considered DNSSEC > secure > and the AD flag was set in the request then the AD flag will be set in the > reply. > > Are there validators that check less when AD is not set? Do they omit checks > for NXDOMAIN or NODATA, do they allow extra data without valid signatures? _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
