Maintained by: NLnet Labs

[Unbound-users] AD bit set for NXDOMAIN but should not?

W.C.A. Wijngaards
Tue Mar 1 17:25:04 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David,

On 03/01/2011 04:11 PM, David Blacka wrote:
>> According to section 9.2, unbound *isn't* correct -- if the covering NSEC3 RR has the opt-out bit set, you don't set AD.  This doesn't change the proof -- you see the same NSEC3 RRs regardless.

Yes

>> No.  There is no separate 'insecure' NXDOMAIN proof.  The only response that is constructed differently due to the opt-out bit is the insecure referral (instead of a matching NSEC3, there is a closest encloser NSEC3 and a NSEC3 covering the next closer name which MUST have the opt-out bit set.)

Yes, I was wrong about that in the email you quote.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1tHeAACgkQkDLqNwOhpPjjnQCfYcxPaLRhANeVP4w9UTF7Yi9t
ob8AmwW49Fwo8FSQFVi4L62anzB8X9Jv
=Cfeq
-----END PGP SIGNATURE-----