[Unbound-users] AD bit set for NXDOMAIN but should not?
wouter at NLnetLabs.nl
Tue Mar 1 08:23:58 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 03/01/2011 09:18 AM, Stephane Bortzmeyer wrote:
>> Well, since below the optout stuff is not signed, it is true that
>> the NXDOMAIN is not fully secure, so I support the notion that
>> unbound should not give an AD flag.
> Do you plan to change the behaviour of Unbound? I ask it because we
> are developing monitoring tools and they rely on the presence/absence
> of the AD bit, that's why we were disturbed by the discrepancy between
> BIND and Unbound.
It seems to me that underneath an optout-span, stuff is insecure, and
thus so must be the NXDOMAIN case we have here. So I am inclined to
change unbound. But I am also looking for guidance because of questions
>> Example B.1 in RFC5155 is wrong, and it should be changed
> I let you report it at <http://www.rfc-editor.org/errata.php>, I'm not
> confident enough to do it.
Yes, but one of the Authors of RFC5155 has responded on this mailing
list, first we must talk about it before posting errata.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users