AD=1 is set by a security-aware resolver when all the RRsets in the answer are considered authentic. As far as I know, that does not provide any indication if the NS (DS, DELEG, NSEC3, etc..) tree was in validated. (And NS in child might be, and NS from parent won't be).
AD stays at 0, when: 1. the zone is not signed 2. the recursive server is not doing validation I think it is also unset if my stub happens to use a recursive resolver which is *also* authoritative for the zone in question. If a stub resolver (such as an IoT device) wants to know if the recursive resolver is doing DNSSEC validation, I'm not aware of any mechanism other than doing a query that they expect will be signed, and observing the AD bit. Maybe I've missed something. This is about draft-ietf-iotops-iot-dns-guidelines-01. -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
