Maintained by: NLnet Labs

[Unbound-users] AD bit set for NXDOMAIN but should not?

W.C.A. Wijngaards
Tue Mar 1 09:11:57 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David,

On 03/01/2011 12:52 AM, David Blacka wrote:
> 
> On Feb 28, 2011, at 11:07 AM, W.C.A. Wijngaards wrote:
> 
>> Example B.1 in RFC5155 is wrong, and it should be changed to have the
>> optout flag removed from the nextcloser NSEC3
>> (0p9mhaveqvm6t7vbl5lop2u3t2rp3tom).
>>
>> (with the optout flag set, the example is insecure, and also the
>> wildcard denial has to be removed).
> 
> Where in 5155 does it say that the NXDOMAIN proof is different in the opt-out case?  My memory (and a quick search through 5155) is that only the insecure referral proof is different with Opt-Out.
> 
> AFAICT example B.1 is correct.  The examples don't show the AD bit status (they are showing the responses from the authoritative server), but I thought section 9.2 was clear enough.

Well they are supposed to show 'secure' examples.  And B.1 has optout,
thus unbound is correct in setting the AD flag on NXDOMAIN with optout.

I think the example might thus be wrong and needs to have no optout.

If you think somehow the example should be for an 'insecure' NXDOMAIN.
Then it is still wrong because it needs to have the wildcard denial
removed (right? there can be no wildcard delegations).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1sqk0ACgkQkDLqNwOhpPjftACeLxWXvMygze2dYWjOCkBrQ8Fn
D/MAoJb3p3r6nLsQpdaZTCkF0JHUaI2r
=fX3g
-----END PGP SIGNATURE-----