[nsd-users] do bit
Matthijs Mekking
matthijs at NLnetLabs.nl
Tue Sep 20 08:21:32 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Miek,
You are hitting something old. From the REQUIREMENTS of NSD:
+ If the DNSSEC OK bit (DO bit) is set then the query will be
processed as a DNSSEC request. Although RFC3225 does not
explicitly specify this NSD clears the DO bit in the answer.
This has been in there since version 1.0.1 :)
I believe that the scope RFC3255 is explicit for resolvers, and RFC 4034
is not clear about it what an authoritative server should do.
I know we made dnext-dnssec-bis-updates for this:
5.6. Setting the DO Bit on Replies
As stated in [RFC3225], the DO bit of the query MUST be copied in the
response. At least one implementation has done something different,
so it may be wise for resolvers to be liberal in what they accept.
Although I don't think we are violating with the RFCs, it is possible to
make NSD copy the DO bit, instead of clear it.
Best regards,
Matthijs
On 09/19/2011 02:52 PM, Miek Gieben wrote:
> Hello
>
> I was playing around with some experimental code and I noticed
> that 'open.nlnetlabs.nl' does not set the DO bit in the reply, when
> it is set in the query, as is required per RFC 3225.
>
> NSD:
>
> % dig @open.nlnetlabs.nl +dnssec mx miek.nl | grep EDNS
> ; EDNS: version: 0, flags:; udp: 4096
>
> BIND:
>
> % dig @miek.nl +dnssec mx miek.nl | grep EDNS
> ; EDNS: version: 0, flags: do; udp: 4096
>
> grtz,
>
>
>
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOeE0MAAoJEA8yVCPsQCW5InkIAIyMg3w/S84Rq6q9Gw42N1FM
yZam3GLRK5EqnzPzqQ6QfXxUUUWU/o3FKzDYEl6wBqSX/ZDqKk5MY4oTeFQhb8Hu
Yf2Oh43BS4VQbbjRFnG1i9z8b1kaS+ve5e5r96LSsZ7sbiKSYna7KwfH0j+3bR2o
0YOIcjCJxqbbAJN6z7uZRbr1OAoZ3oTI6CRKITgq4gSKNlVf/G1ZdN4MfTzUqbry
oM72KDDJhEaPS0hCX0ThKC9eMOGITOmgKdRDvYnwUmt5lw/VkLiLLSu7+kzdmGaN
kXrOBv6B4CNa5Vp5vIXGRij1GWQt9lHEqcKV/zT4CxB2SGLP/fkk46oOnGFSbIg=
=uPEl
-----END PGP SIGNATURE-----
More information about the nsd-users
mailing list