[Unbound-users] AD bit set for NXDOMAIN but should not?
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Tue Mar 1 16:25:04 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi David,
On 03/01/2011 04:11 PM, David Blacka wrote:
>> According to section 9.2, unbound *isn't* correct -- if the covering NSEC3 RR has the opt-out bit set, you don't set AD. This doesn't change the proof -- you see the same NSEC3 RRs regardless.
Yes
>> No. There is no separate 'insecure' NXDOMAIN proof. The only response that is constructed differently due to the opt-out bit is the insecure referral (instead of a matching NSEC3, there is a closest encloser NSEC3 and a NSEC3 covering the next closer name which MUST have the opt-out bit set.)
Yes, I was wrong about that in the email you quote.
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1tHeAACgkQkDLqNwOhpPjjnQCfYcxPaLRhANeVP4w9UTF7Yi9t
ob8AmwW49Fwo8FSQFVi4L62anzB8X9Jv
=Cfeq
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list