Hello list,
On 26.2.2014 20:11, Viktor Dukhovni wrote:
On Wed, Feb 26, 2014 at 07:02:45PM +0000, Tony Finch wrote:
Viktor Dukhovni <[email protected]> wrote:
I think it requires EDNS0,
The AD bit is in the message header not the OPT pseudo-RR, so
syntactically it doesn't require EDNS0. BIND works OK (try
dig +qr +noedns). However the spec is silent on this matter.
http://tools.ietf.org/html/rfc6840#page-10
Also I think it is arguable that RFC 4035 says servers should set the
AD flag in the response regardless of whether the client indicates
it is security-aware. But implementations do not do that.
You're right about the AD bit of course, I was thinking of "DO".
Below setting either "AD=1" or "DO=1" elicits a validated response
from unbound, but with "DO=1" additional RRSIG records are returned.
The libresolv API does not currently expose a portable mechanism
for setting AD=1 in requests.
I have heard that there was a discussion about AD bit handling at IETF 89.
Could somebody summarize it, please?
I understand that everybody is more interested in DANE and DNS-privacy but I
would like to finish this discussion and either drop the AD-bit special
handling altogether or move to implementation phase :-)
Thank you very much for your time!
--
Petr^2 Spacek
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
