ad flag missing in response to a tlsa query
Ondřej Caletka
ondrej at caletka.cz
Wed Jan 1 10:49:15 UTC 2020
Dne 01. 01. 20 v 10:50 Claus Assmann via unbound-users napsal(a):
> I'm trying to figure out why the ad flag is not set for a specific
> TLSA query:
>
> unbound 1.9.6 is listening on port 1153:
> dig +ad -p 1153 -t tlsa _25._tcp.mail.roaringpenguin.com
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19607
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> It works fine for other domains, e.g.,
> dig +ad -p 1153 -t tlsa _25._tcp.mail.nllabs.nl.
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61517
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> delv can seemingly verify that -t tlsa _25._tcp.mail.roaringpenguin.com
> does not exist:
> ; negative response, fully validated
> ; _25._tcp.mail.roaringpenguin.com. 1624 IN \-ANY ;-$NXDOMAIN
>
> So what is wrong? Do I misunderstand what the ad flag indicates?
> Is some setup (my side, server side) wrong?
Hello,
this is beacause zone roaringpenguin.com uses NSEC3 Opt-out:
$ dig +ad -t tlsa _25._tcp.mail.roaringpenguin.com +dnssec
(Look for the second "1" in NSEC3 records)
With opt-out, the positive answers can be validated normally but in case
of NXDomain, one cannot be sure that there is not an unsigned
delegation, since such delegation was opted out of the NSEC3 proof.
Therefore, the state of negative answer is only insecure. See
https://tools.ietf.org/html/rfc5155#section-9.2
--
Ondřej Caletka
More information about the Unbound-users
mailing list