[Unbound-users] AD bit set for NXDOMAIN but should not?

W.C.A. Wijngaards wouter at NLnetLabs.nl
Tue Mar 1 08:23:58 UTC 2011

Hash: SHA1

Hi Stephane,

On 03/01/2011 09:18 AM, Stephane Bortzmeyer wrote:
>> Well, since below the optout stuff is not signed, it is true that
>> the NXDOMAIN is not fully secure, so I support the notion that
>> unbound should not give an AD flag.
> Do you plan to change the behaviour of Unbound? I ask it because we
> are developing monitoring tools and they rely on the presence/absence
> of the AD bit, that's why we were disturbed by the discrepancy between
> BIND and Unbound.

It seems to me that underneath an optout-span, stuff is insecure, and
thus so must be the NXDOMAIN case we have here.  So I am inclined to
change unbound.  But I am also looking for guidance because of questions
about 5155.

>> Example B.1 in RFC5155 is wrong, and it should be changed 
> I let you report it at <http://www.rfc-editor.org/errata.php>, I'm not
> confident enough to do it.

Yes, but one of the Authors of RFC5155 has responded on this mailing
list, first we must talk about it before posting errata.

Best regards,
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


More information about the Unbound-users mailing list