-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Sullivan wrote: > So AD doesn't mean "I validated this", but rather "I know this is > valid". The translating validator _can_ know it's valid: it validated > the "base" A record, and then performed a translation using the data > it also has by secure means (the sysadmin configured it that way, or > it obtained the prefix via some secured connection, or something like > that).
Yes, both inputs to the translation must be secure: the prefix and the A record. So, the prefix comes from the disk, or was also signed. Not from an (unsigned) DHCP announcement option for the prefix. Otherwise, the output of the translation should not have the AD bit. So, if the translating cache picked up the prefix from an (unsigned) DHCP announcement option, that prefix is 'insecure'. And the security status of the translation should be the one from the weakest link. The AD bit can be set on two conditions: the question contained the DO bit, or the question contained the AD bit (see dnssec-updates draft). The caching translator can also opt to never give AD bit for translations. This is again the local policy knob: 'no trust anchor for the prefix'. Like Matthijs noted, for me the most interesting thing was that the A record was put in the additional section *without signature*. Even though the DO bit was set. I would think, if the DO bit is set, you return signatures if you have them. That makes the most sense to me. But without signature does not actually break anything, because 4034 allows signatures from the additional section to be omitted to make the reply fit into the UDP datagram. However, I believe you are required to at least try to send that signature (according to RFC4034). The signature is of course useful if the respondent can check the translation. (and perform validation itself; you do not know if it does so, regardless of whether the CD bit is set). I would like the signature of the A record put in the additional section as well; of course you would only get that if you signal DO bit. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknLVXYACgkQkDLqNwOhpPhQaQCgh9k5cKGhHb69PXYzSTWIbNHs d+AAoIeYXRKmhC/eSj+6wlPQc7M9knOI =LFUp -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
