Maintained by: NLnet Labs

[Unbound-users] AD bit set for NXDOMAIN but should not?

W.C.A. Wijngaards
Tue Mar 1 13:45:20 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

So I looked at it some more.  It seems to me that the optout example
zone creates some issues in RFC5155 appendix B; it should note that the
optout NSEC3s mean the answer does not get the AD flag, (or not use
optout).  We need to follow section 9.2.

The issue is broader than you notice, it also affects the other uses of
NSEC3 as next-closer with optout set.  Those become securely-insecure(no
AD flag) too.  This means example B.1 (nxdomain) and B.4 (wildcard).

I think unbound should implement this.  And the errata (the shortest
one) is that example B.1 and B.4 have no ADflag from the validator; or
if 'the AD flag is left unspecified in the examples' as David says, no
errata is necessary.

Best regards,
   Wouter

On 03/01/2011 10:58 AM, Matthijs Mekking wrote:
> 
> 
> On 03/01/2011 12:52 AM, David Blacka wrote:
> 
>> On Feb 28, 2011, at 11:07 AM, W.C.A. Wijngaards wrote:
> 
>>> Example B.1 in RFC5155 is wrong, and it should be changed to have the
>>> optout flag removed from the nextcloser NSEC3
>>> (0p9mhaveqvm6t7vbl5lop2u3t2rp3tom).
>>>
>>> (with the optout flag set, the example is insecure, and also the
>>> wildcard denial has to be removed).
> 
>> Where in 5155 does it say that the NXDOMAIN proof is different in the opt-out case?  My memory (and a quick search through 5155) is that only the insecure referral proof is different with Opt-Out.
> 
>> AFAICT example B.1 is correct.  The examples don't show the AD bit status (they are showing the responses from the authoritative server), but I thought section 9.2 was clear enough.
> 
> But it is confusing:
> 
> The RFC 5155 also shows example responses with NSEC3 that matches the
> QNAME also don't have the AD bit set. These records don't provide
> closest encloser proofs, as far as I understand. As a result, examples,
> B.2, B.2.1 and B.6 should have set the AD bit.
> 
> Best regards,
> 
> Matthijs
> 
> 
> 
>> --
>> David Blacka                          <davidb at verisign.com> 
>> Principal Engineer    Verisign Platform Product Development
> 
> 
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1s6mAACgkQkDLqNwOhpPiwMwCfc68bhswtnLCsfnfISQ6di0+j
oJMAoJyEvoJHa3sBDDUN6q8dxSTGyc0q
=/ygk
-----END PGP SIGNATURE-----