In message <[email protected]>, Petr Spacek writes: > On 11.3.2014 07:46, Mark Andrews wrote: > > > > In message <[email protected]>, Florian Weimer writes: > >> * Paul Wouters: > >> > >>> Sorry, I mistook the flags in the struct to be the DNS flags. Let me > >>> rephrase it as "a DNS API call that returns the presence or lack of > >>> AD bit" > >> > >> I think this focus on the AD bit is a grave mistake. There are other > >> technologies for securing DNS data. At least one of them (installing > >> an authenticated copy of the zone in the resolver) is superior to > >> DNSSEC according to various criteria, but full implementation requires > >> that the resolver clears the AD bit. > > > > You can set AD=1 with a local copy of the zone. I actually run > > named locally like this with full dnssec validation of results > > returned from the local zone. You can also just assert AD=1 without > > doing validation if that is what your local policy states on secure > > transfer. > > Maybe it is not a problem but I have to ask: > > What if DS records in parent zone are somehow broken? Validating resolvers > will see the child zone as bogus but authoritative server for such zone will > happily set AD=1.
Yes. > I'm curious if this conflicts with AD bit definition in RFCs or not. It is permitted. > -- > Petr^2 Spacek > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
