[Unbound-users] AD bit set for NXDOMAIN but should not?
Matthijs Mekking
matthijs at NLnetLabs.nl
Tue Mar 1 09:58:38 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/01/2011 12:52 AM, David Blacka wrote:
>
> On Feb 28, 2011, at 11:07 AM, W.C.A. Wijngaards wrote:
>
>> Example B.1 in RFC5155 is wrong, and it should be changed to have the
>> optout flag removed from the nextcloser NSEC3
>> (0p9mhaveqvm6t7vbl5lop2u3t2rp3tom).
>>
>> (with the optout flag set, the example is insecure, and also the
>> wildcard denial has to be removed).
>
> Where in 5155 does it say that the NXDOMAIN proof is different in the opt-out case? My memory (and a quick search through 5155) is that only the insecure referral proof is different with Opt-Out.
>
> AFAICT example B.1 is correct. The examples don't show the AD bit status (they are showing the responses from the authoritative server), but I thought section 9.2 was clear enough.
But it is confusing:
The RFC 5155 also shows example responses with NSEC3 that matches the
QNAME also don't have the AD bit set. These records don't provide
closest encloser proofs, as far as I understand. As a result, examples,
B.2, B.2.1 and B.6 should have set the AD bit.
Best regards,
Matthijs
>
> --
> David Blacka <davidb at verisign.com>
> Principal Engineer Verisign Platform Product Development
>
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNbMNNAAoJEA8yVCPsQCW50/oH/1h0mFNo8ztpdqOW87oVxmoC
+4ZhmN3I5y6BzjsQ1CkY0JO8OaDmrLoC250CBfVWqj0lmgExpCZnAjznt4QteDUt
7hx7403YqdIfZdCT/iGEvRvu5afo0QASKJA/ChPGx8jyT7Kug6H0OF1GlBMT1bF6
ESfADoGtt8ClHxPrvJLGNqZ5fN4yD4yARoQAdHIYNDm3LIHAJlTVbMG3/6cvDrCB
N+dVl9+F0hMM45wWaIjxALy9fq3zmXefNkz78Vd7w2XMdiaug/EKdIhboOAlligY
i2cefgM9n929Ak9SzRmGK5N4naqajYOn0h65nPQE13213FztVwhszMuM5ZgqgLQ=
=gEOS
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list