Maintained by: NLnet Labs

[Unbound-users] AD flag inconsistency in "Wildcard Expansion" and "Wildcard No Data Error" query

W.C.A. Wijngaards
Thu Jul 7 17:28:33 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jia Li,

Could it be that you are using a version before 1.4.9, there is a fix
listed: Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in
optout, in unbound 1.4.9.

Best regards,
   Wouter

On 07/07/2011 08:16 AM, Jia Li wrote:
>  
>  
>      when I use Unbound as validator to test opt-out NSEC3, I found that
> in "wildcard expansion" case, Unbound response with no AD flags, while
> in "wildcard no data" case, Unbound response with AD flags. Is this a
> inconsistency? According to rfc 5155 "9.2. Use of the AD bit", AD bit
> must not be set when response containing NSEC3 RR that covers the "next
> closer" name has opt-out bit set.
>  
>      So maybe in both two cases Unbound should not set AD bit?
>  
>     "wildcard expansion" case query has result as follows:
>  
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65187
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3
>  
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;b.wild.optout.example.         IN      A
>  
> ;; ANSWER SECTION:
> b.wild.optout.example.  300     IN      A       10.0.0.6
> b.wild.optout.example.  300     IN      RRSIG   A 7 3 300 20110806020105 20110707020105 54458 optout.example. Epk2nJ16+JzMZOHVF0qa+65OxttM8pE25l3u+oLoWpPaGgF6udZmJfhU rw8LThrwYhb5JSxCo4jN7Z7LQa9+sVaWbXzKWD5uCbRcnHajV3bCF1vZ F1b0ZZcIfRLj2vOB
>  
> ;; AUTHORITY SECTION:
> optout.example.         300     IN      NS      ns.optout.example.
> optout.example.         300     IN      RRSIG   NS 7 2 300 20110806020105 20110707020105 54458 optout.example. HTWJ3lVz7+ksF3P/XEj+13JANSofH82mTQnEjBJghKl4NlxwofcB0L2q t468pfUHZFoZ/eQawhCHgJvppPUY3lXmOCMHD6YwwDklnYE5HcaLYnOP LxJK7Xr842o0BXb4
> M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN NSEC3 1 1 10 - QVSNM823Q1GIK9CRGG58TK9AOLCR0DC2
> M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 20110806020105 20110707020105 54458 optout.example. VplQeqb2QF71ZYLBR97H5uyzxuALj1NKcLXtDjFEjOlUjSIohyX3UXZ3 HIqkYm/HhsQ/HyeNHGH4hiCqOYjJnfgxlU67kfwhfr4qrkTYeBDxjTN+ nqJtA39H2YyE/0nt
>  
> ;; ADDITIONAL SECTION:
> ns.optout.example.      300     IN      A       10.53.0.3
> ns.optout.example.      300     IN      RRSIG   A 7 3 300 20110806020105 20110707020105 54458 optout.example. cTk09mW73DrFu7LNgt0aMV8E3fgrBLuqADWEbb+ZaygfYJYWNF4Y+q+O 3iHgR6CBmW1soMGobwS8xSgNMTEMtPPKWUtnpESqsCRm48ryA+3+F46R mn2BPmgLF7G6E3Hg
>    
>  
>  
>      "wildcard no data" case as follows:
>  
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59596
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
>  
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;b.wild.optout.example.         IN      AAAA
>  
> ;; AUTHORITY SECTION:
> M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN NSEC3 1 1 10 - QVSNM823Q1GIK9CRGG58TK9AOLCR0DC2
> M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 20110806020105 20110707020105 54458 optout.example. VplQeqb2QF71ZYLBR97H5uyzxuALj1NKcLXtDjFEjOlUjSIohyX3UXZ3 HIqkYm/HhsQ/HyeNHGH4hiCqOYjJnfgxlU67kfwhfr4qrkTYeBDxjTN+ nqJtA39H2YyE/0nt
> EJ0VQS7A2RURJ4K5QLMURRQQGIG667KK.optout.example. 3600 IN NSEC3 1 1 10 - F1B8R8H9UMD9OS8NH6I63TOO0K39AB11 A RRSIG
> EJ0VQS7A2RURJ4K5QLMURRQQGIG667KK.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 20110806020105 20110707020105 54458 optout.example. AH+FOkZQXf91/tIXbRAuyO98uG3a5kC4A4o7kwzK1XV2PInh6mQD2MsY FkmrRU99EHkrsx8nMCq2p7oq2e2wHmwr7lOD+NrH0CO6QYUjs0TnT83n XLXpcXgn8QdkJ2GS
> optout.example.         300     IN      SOA     mname1. . 2000042407 20 20 1814400 3600
> optout.example.         300     IN      RRSIG   SOA 7 2 300 20110806020105 20110707020105 54458 optout.example. w/NZwX4wbCUhX9+oS8AetzARxIYN6JlD5RATXQtHRiG3hnlGAQmf0kcu YmE1VHtPZP99X+kCH6h+CG23Thesy29EdnHKyoAmymyeKRoOtrkC/I9h oPPx4ppfWwsIQ8hS
>  
>  
> 2011-07-07
> ------------------------------------------------------------------------
> Jia Li
> 
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOFdChAAoJEJ9vHC1+BF+N8e8P/RkIPlaKSvyP/f2+dCOtctnw
GgH2J2ruq6YY2W2xQ2V3/jA571Q/eaHJGnuHuGxf2HbbO4Ya7E4sgq84RtUheVxi
yAybIIz1SzMG9puFsUwg9nMzkdN0h6rndDeAlmFpmiqYK1/hxG83pzlEiPIByaPr
d5j1sHrY4DCo86ndwWo10dPd5ev/WChGdgD2Y8CNf3zT0o9cG/RqjAgOaZ3vZwiG
HYjkiC33GHLdeeKdP59il4kfwI13ouMiK7FOnFIhr79RsdlydDQlGvnr+pIz89Gb
icGBZENNtJfAx4GP1RqBFVMZ4UbnIt/Tb6gK+F0LlKbTIrNcI/gkhlAnECBonWAK
50rWHLsmBnimZK1EojBDhDtHr5g/uyTWB99+EAh2kMWUeMrUvDjBXk4ZVFD76gEp
IMqxx+okPbAAD1SbuCuIuVnZQGuIrzywFHNc3KIqLIxfa9xJyT0+MIb/QUszC0/v
gRZ0Up5t6wAlw0/Pz3gwR+C68/fyfDSOIuG6BUhwmaOU3jRXQBvzGYqq21BGq9fK
AOlZGTbuivtHJq2Gh9yd3W/bdtWpkd6Bn/WP9aYIv/sdVxaxbvTf8Eqsa4QkujoO
PhaaxYqZv+amKo1hcVLOummIiD+8nT5DRnTrb2wRdeqBeRu4qjvBWOWyG0M1f6rb
yeVD2hc6ExVh5sY11CH1
=sYs6
-----END PGP SIGNATURE-----