[Unbound-users] AD bit set for NXDOMAIN but should not?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sun Feb 27 13:00:27 UTC 2011
When comparing the results of:
dig +dnssec @$NS A www.doesnotexistatall-foo-bar.fr
for BIND and Unbound, I see they both return NXDOMAIN (and rightly
so), but only Unbound sets the AD bit. I tested both on OARC's
resolvers <https://www.dns-oarc.net/oarc/services/odvr> and on my own
local resolvers. .FR is signed with NSEC3+opt-out.
According to its maintainer, BIND is right
<https://lists.isc.org/pipermail/bind-users/2009-January/074539.html>.
My colleague Vincent Levigneron extracted from RFC 5155 two paragraphs
which seem to indicate that BIND is indeed right:
9.2. Use of the AD Bit
The AD bit, as defined by [RFC 4035], MUST NOT be set when returning a
response containing a closest (provable) encloser proof in which the
NSEC3 RR that covers the "next closer" name has the Opt-Out bit set.
This rule is based on what this closest encloser proof actually
proves: names that would be covered by the Opt-Out NSEC3 RR may or
may not exist as insecure delegations. As such, not all the data in
responses containing such closest encloser proofs will have been
cryptographically verified, so the AD bit cannot be set.
So,is Unbound right/wrong/neutral when setting the AD bit on
NXDOMAINs?
More information about the Unbound-users
mailing list