[Unbound-users] AD bit set for NXDOMAIN but should not?
David Blacka
davidb at verisign.com
Mon Feb 28 23:52:04 UTC 2011
On Feb 28, 2011, at 11:07 AM, W.C.A. Wijngaards wrote:
> Example B.1 in RFC5155 is wrong, and it should be changed to have the
> optout flag removed from the nextcloser NSEC3
> (0p9mhaveqvm6t7vbl5lop2u3t2rp3tom).
>
> (with the optout flag set, the example is insecure, and also the
> wildcard denial has to be removed).
Where in 5155 does it say that the NXDOMAIN proof is different in the opt-out case? My memory (and a quick search through 5155) is that only the insecure referral proof is different with Opt-Out.
AFAICT example B.1 is correct. The examples don't show the AD bit status (they are showing the responses from the authoritative server), but I thought section 9.2 was clear enough.
--
David Blacka <davidb at verisign.com>
Principal Engineer Verisign Platform Product Development
More information about the Unbound-users
mailing list