[Unbound-users] AD bit set for NXDOMAIN but should not?
wouter at NLnetLabs.nl
Tue Mar 1 16:25:04 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 03/01/2011 04:11 PM, David Blacka wrote:
>> According to section 9.2, unbound *isn't* correct -- if the covering NSEC3 RR has the opt-out bit set, you don't set AD. This doesn't change the proof -- you see the same NSEC3 RRs regardless.
>> No. There is no separate 'insecure' NXDOMAIN proof. The only response that is constructed differently due to the opt-out bit is the insecure referral (instead of a matching NSEC3, there is a closest encloser NSEC3 and a NSEC3 covering the next closer name which MUST have the opt-out bit set.)
Yes, I was wrong about that in the email you quote.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users