ad flag missing in response to a tlsa query
ml+unbound-users at esmtp.org
Thu Jan 2 07:27:19 UTC 2020
On Wed, Jan 01, 2020, Ond?ej Caletka via unbound-users wrote:
> this is beacause zone roaringpenguin.com uses NSEC3 Opt-out:
Thanks for the explanation!
> With opt-out, the positive answers can be validated normally but in case
> of NXDomain, one cannot be sure that there is not an unsigned
> delegation, since such delegation was opted out of the NSEC3 proof.
> Therefore, the state of negative answer is only insecure. See
Now I have to figure out how this information is returned from the
resolver to the application (which tries to implement DANE for SMTP).
Currently my code turns a permanent error into a temporary error
if the ad flag is not set for the TLSA lookup result but was set
for the MX/A results (because I thought that might indicate a
potential MitM attack).
However, this seems to be a legitimate configuration/result, but
how is that information returned by a (validating) resolver?
(this might be a question for a different mailing list, sorry).
More information about the Unbound-users