ad flag missing in response to a tlsa query
Florian Weimer
fw at deneb.enyo.de
Wed Jan 1 10:39:56 UTC 2020
* Claus Assmann via unbound-users:
> I'm trying to figure out why the ad flag is not set for a specific
> TLSA query:
>
> unbound 1.9.6 is listening on port 1153:
> dig +ad -p 1153 -t tlsa _25._tcp.mail.roaringpenguin.com
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19607
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> It works fine for other domains, e.g.,
> dig +ad -p 1153 -t tlsa _25._tcp.mail.nllabs.nl.
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61517
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> delv can seemingly verify that -t tlsa _25._tcp.mail.roaringpenguin.com
> does not exist:
> ; negative response, fully validated
> ; _25._tcp.mail.roaringpenguin.com. 1624 IN \-ANY ;-$NXDOMAIN
>
> So what is wrong? Do I misunderstand what the ad flag indicates?
The opt-out bit is set on the NSEC3 record, so I assume the name is an
opt-out section of the zone. Therefore, the response cannot be
authenticated using DNSSEC.
More information about the Unbound-users
mailing list