On Tue, Apr 03, 2018 at 06:32:49PM +1000, Geoff Huston wrote: > So this text is saying that the AD bit is set if the resolver considers all > RRsets in the Answer section to be authentic. Fair enough.
More correctly, the bit is cleared if the resolver *doesn't* consider all RRsets to be validly signed, but the distinction probably isn't that important here. > What happens when neither DO nor AD is set in the request? "dig +noends +noadflag" will produce such a query, if you want to try it out. > Do you get a response that is authentic (but without any explicit signalling > in the response that would indicate that authentication has occurred) or the > Servfail response in the case where authentication fails? This. The resolver attempts validation and returns a plain-looking answer if the response was valid or provably insecure, SERVFAIL if bogus. > Or do you get a response that is not necessarily authenticated even though > the CD bit is not set? > > If its the former then the AD bit may or may not be set on responses even > though they have been "DNSSEC validated” That's correct. (Also the AD flag can easily be turned on or off by an intermediate proxy, so you should never rely on it for much of anything, really.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
