[Unbound-users] AD bit set for NXDOMAIN but should not?

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Mar 1 08:10:56 UTC 2011

On Mon, Feb 28, 2011 at 06:52:04PM -0500,
 David Blacka <davidb at verisign.com> wrote 
 a message of 23 lines which said:

> Where in 5155 does it say that the NXDOMAIN proof is different in
> the opt-out case?  

I quoted the text at the beginning of the thread. Here it is:

9.2.  Use of the AD Bit

   The AD bit, as defined by [RFC 4035], MUST NOT be set when returning a
   response containing a closest (provable) encloser proof in which the
   NSEC3 RR that covers the "next closer" name has the Opt-Out bit set.

   This rule is based on what this closest encloser proof actually
   proves: names that would be covered by the Opt-Out NSEC3 RR may or
   may not exist as insecure delegations.  As such, not all the data in
   responses containing such closest encloser proofs will have been
   cryptographically verified, so the AD bit cannot be set.

More information about the Unbound-users mailing list