Maintained by: NLnet Labs

[Unbound-users] AD bit set for NXDOMAIN but should not?

Stephane Bortzmeyer
Tue Mar 1 09:18:28 CET 2011


On Mon, Feb 28, 2011 at 05:07:05PM +0100,
 W.C.A. Wijngaards <wouter at NLnetLabs.nl> wrote 
 a message of 64 lines which said:

> Well, since below the optout stuff is not signed, it is true that
> the NXDOMAIN is not fully secure, so I support the notion that
> unbound should not give an AD flag.

Do you plan to change the behaviour of Unbound? I ask it because we
are developing monitoring tools and they rely on the presence/absence
of the AD bit, that's why we were disturbed by the discrepancy between
BIND and Unbound.

> Example B.1 in RFC5155 is wrong, and it should be changed 

I let you report it at <http://www.rfc-editor.org/errata.php>, I'm not
confident enough to do it.