Maintained by: NLnet Labs

Flags?

Viktor Dukhovni
Mon May 30 20:11:38 CEST 2016


On Mon, May 30, 2016 at 09:18:59AM +0200, W.C.A. Wijngaards wrote:

> If secure and bogus are both not set, the message is 'insecure', i.e. it
> was not dnssec signed.

Also SERVFAIL, FORMERR, NOTIMP, ... are neither secure not insecure.
DNSSEC Security status only applies to a response RRset or denial
of existence of that RRset.

The only response codes for which the secure/insecure distinction
applies are:

    NOERROR
    NXDOMAIN
    NODATA (NOERROR + ANCOUNT = 0)

All other error codes don't distinguish between signed and unsigned
zones, all we know is that the lookup failed (misconfiguration,
DoS, MiTM, ...).

This is important in opportunistic DANE TLS, see:

    https://tools.ietf.org/html/rfc7672#section-2.1

There I make the case that non-bogus NOERROR, NODATA and NXDOMAIN
are not errors, while bogus responses and all other response codes
are lookup errors.

-- 
	Viktor.