Maintained by: NLnet Labs

[Unbound-users] AD bit set for NXDOMAIN but should not?

W.C.A. Wijngaards
Tue Mar 1 09:23:58 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

On 03/01/2011 09:18 AM, Stephane Bortzmeyer wrote:
>> Well, since below the optout stuff is not signed, it is true that
>> the NXDOMAIN is not fully secure, so I support the notion that
>> unbound should not give an AD flag.
> 
> Do you plan to change the behaviour of Unbound? I ask it because we
> are developing monitoring tools and they rely on the presence/absence
> of the AD bit, that's why we were disturbed by the discrepancy between
> BIND and Unbound.

It seems to me that underneath an optout-span, stuff is insecure, and
thus so must be the NXDOMAIN case we have here.  So I am inclined to
change unbound.  But I am also looking for guidance because of questions
about 5155.

>> Example B.1 in RFC5155 is wrong, and it should be changed 
> 
> I let you report it at <http://www.rfc-editor.org/errata.php>, I'm not
> confident enough to do it.

Yes, but one of the Authors of RFC5155 has responded on this mailing
list, first we must talk about it before posting errata.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1srR4ACgkQkDLqNwOhpPh0dQCcCHV1+/O7mAF0WZAlaxogSxNN
4Y0An0OipQ7n4Dex/DsTdt1MgIVYtaRa
=/S9R
-----END PGP SIGNATURE-----