Maintained by: NLnet Labs

[Unbound-users] AD flag inconsistency in "Wildcard Expansion" and "Wildcard No Data Error" query

Jia Li
Thu Jul 7 08:16:04 CEST 2011



     when I use Unbound as validator to test opt-out NSEC3, I found that in "wildcard expansion" case, Unbound response with no AD flags, while in "wildcard no data" case, Unbound response with AD flags. Is this a inconsistency? According to rfc 5155 "9.2. Use of the AD bit", AD bit must not be set when response containing NSEC3 RR that covers the "next closer" name has opt-out bit set.

     So maybe in both two cases Unbound should not set AD bit?

    "wildcard expansion" case query has result as follows:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65187
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;b.wild.optout.example.         IN      A

;; ANSWER SECTION:
b.wild.optout.example.  300     IN      A       10.0.0.6
b.wild.optout.example.  300     IN      RRSIG   A 7 3 300 20110806020105 20110707020105 54458 optout.example. Epk2nJ16+JzMZOHVF0qa+65OxttM8pE25l3u+oLoWpPaGgF6udZmJfhU rw8LThrwYhb5JSxCo4jN7Z7LQa9+sVaWbXzKWD5uCbRcnHajV3bCF1vZ F1b0ZZcIfRLj2vOB

;; AUTHORITY SECTION:
optout.example.         300     IN      NS      ns.optout.example.
optout.example.         300     IN      RRSIG   NS 7 2 300 20110806020105 20110707020105 54458 optout.example. HTWJ3lVz7+ksF3P/XEj+13JANSofH82mTQnEjBJghKl4NlxwofcB0L2q t468pfUHZFoZ/eQawhCHgJvppPUY3lXmOCMHD6YwwDklnYE5HcaLYnOP LxJK7Xr842o0BXb4
M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN NSEC3 1 1 10 - QVSNM823Q1GIK9CRGG58TK9AOLCR0DC2
M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 20110806020105 20110707020105 54458 optout.example. VplQeqb2QF71ZYLBR97H5uyzxuALj1NKcLXtDjFEjOlUjSIohyX3UXZ3 HIqkYm/HhsQ/HyeNHGH4hiCqOYjJnfgxlU67kfwhfr4qrkTYeBDxjTN+ nqJtA39H2YyE/0nt

;; ADDITIONAL SECTION:
ns.optout.example.      300     IN      A       10.53.0.3
ns.optout.example.      300     IN      RRSIG   A 7 3 300 20110806020105 20110707020105 54458 optout.example. cTk09mW73DrFu7LNgt0aMV8E3fgrBLuqADWEbb+ZaygfYJYWNF4Y+q+O 3iHgR6CBmW1soMGobwS8xSgNMTEMtPPKWUtnpESqsCRm48ryA+3+F46R mn2BPmgLF7G6E3Hg
    


     "wildcard no data" case as follows:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59596
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;b.wild.optout.example.         IN      AAAA

;; AUTHORITY SECTION:
M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN NSEC3 1 1 10 - QVSNM823Q1GIK9CRGG58TK9AOLCR0DC2
M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 20110806020105 20110707020105 54458 optout.example. VplQeqb2QF71ZYLBR97H5uyzxuALj1NKcLXtDjFEjOlUjSIohyX3UXZ3 HIqkYm/HhsQ/HyeNHGH4hiCqOYjJnfgxlU67kfwhfr4qrkTYeBDxjTN+ nqJtA39H2YyE/0nt
EJ0VQS7A2RURJ4K5QLMURRQQGIG667KK.optout.example. 3600 IN NSEC3 1 1 10 - F1B8R8H9UMD9OS8NH6I63TOO0K39AB11 A RRSIG
EJ0VQS7A2RURJ4K5QLMURRQQGIG667KK.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 20110806020105 20110707020105 54458 optout.example. AH+FOkZQXf91/tIXbRAuyO98uG3a5kC4A4o7kwzK1XV2PInh6mQD2MsY FkmrRU99EHkrsx8nMCq2p7oq2e2wHmwr7lOD+NrH0CO6QYUjs0TnT83n XLXpcXgn8QdkJ2GS
optout.example.         300     IN      SOA     mname1. . 2000042407 20 20 1814400 3600
optout.example.         300     IN      RRSIG   SOA 7 2 300 20110806020105 20110707020105 54458 optout.example. w/NZwX4wbCUhX9+oS8AetzARxIYN6JlD5RATXQtHRiG3hnlGAQmf0kcu YmE1VHtPZP99X+kCH6h+CG23Thesy29EdnHKyoAmymyeKRoOtrkC/I9h oPPx4ppfWwsIQ8hS


2011-07-07 



Jia Li 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110707/a077bc0f/attachment.html>