On Wed, Feb 26, 2014 at 07:02:45PM +0000, Tony Finch wrote:
> Viktor Dukhovni <[email protected]> wrote:
>
> > I think it requires EDNS0,
>
> The AD bit is in the message header not the OPT pseudo-RR, so
> syntactically it doesn't require EDNS0. BIND works OK (try
> dig +qr +noedns). However the spec is silent on this matter.
> http://tools.ietf.org/html/rfc6840#page-10
> Also I think it is arguable that RFC 4035 says servers should set the
> AD flag in the response regardless of whether the client indicates
> it is security-aware. But implementations do not do that.
You're right about the AD bit of course, I was thinking of "DO".
Below setting either "AD=1" or "DO=1" elicits a validated response
from unbound, but with "DO=1" additional RRSIG records are returned.
The libresolv API does not currently expose a portable mechanism
for setting AD=1 in requests.
$ dig +noall +comment +answer +noedns +adflag -t mx debian.org
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28554
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6
;; ANSWER SECTION:
debian.org. 3567 IN MX 0 mailly.debian.org.
debian.org. 3567 IN MX 0 muffat.debian.org.
$ dig +noall +comment +answer +dnssec -t mx debian.org
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15599
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 6, ADDITIONAL: 19
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; ANSWER SECTION:
debian.org. 3552 IN MX 0 mailly.debian.org.
debian.org. 3552 IN MX 0 muffat.debian.org.
debian.org. 3552 IN RRSIG MX 7 2 ...
debian.org. 3552 IN RRSIG MX 8 2 ...
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
