ad flag missing in response to a tlsa query

Claus Assmann ml+unbound-users at esmtp.org
Thu Jan 2 07:27:19 UTC 2020


On Wed, Jan 01, 2020, Ond?ej Caletka via unbound-users wrote:

> this is beacause zone roaringpenguin.com uses NSEC3 Opt-out:

Thanks for the explanation!

> With opt-out, the positive answers can be validated normally but in case
> of NXDomain, one cannot be sure that there is not an unsigned
> delegation, since such delegation was opted out of the NSEC3 proof.
> Therefore, the state of negative answer is only insecure. See

Now I have to figure out how this information is returned from the
resolver to the application (which tries to implement DANE for SMTP).

Currently my code turns a permanent error into a temporary error
if the ad flag is not set for the TLSA lookup result but was set
for the MX/A results (because I thought that might indicate a
potential MitM attack).

However, this seems to be a legitimate configuration/result, but
how is that information returned by a (validating) resolver?
(this might be a question for a different mailing list, sorry).



More information about the Unbound-users mailing list