On 11.3.2014 07:46, Mark Andrews wrote:
In message <[email protected]>, Florian Weimer writes:
* Paul Wouters:
Sorry, I mistook the flags in the struct to be the DNS flags. Let me
rephrase it as "a DNS API call that returns the presence or lack of
AD bit"
I think this focus on the AD bit is a grave mistake. There are other
technologies for securing DNS data. At least one of them (installing
an authenticated copy of the zone in the resolver) is superior to
DNSSEC according to various criteria, but full implementation requires
that the resolver clears the AD bit.
You can set AD=1 with a local copy of the zone. I actually run
named locally like this with full dnssec validation of results
returned from the local zone. You can also just assert AD=1 without
doing validation if that is what your local policy states on secure
transfer.
Maybe it is not a problem but I have to ask:
What if DS records in parent zone are somehow broken? Validating resolvers
will see the child zone as bogus but authoritative server for such zone will
happily set AD=1.
I'm curious if this conflicts with AD bit definition in RFCs or not.
--
Petr^2 Spacek
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
