Re: [dane] An AD bit discussion

Viktor Dukhovni <> Wed, 26 February 2014 18:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 33CC51A021B for <>; Wed, 26 Feb 2014 10:24:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MKR4Y5drKSfM for <>; Wed, 26 Feb 2014 10:24:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 391291A0106 for <>; Wed, 26 Feb 2014 10:24:34 -0800 (PST)
Received: by (Postfix, from userid 1034) id 956DC2AAD0C; Wed, 26 Feb 2014 18:24:32 +0000 (UTC)
Date: Wed, 26 Feb 2014 18:24:32 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] An AD bit discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Feb 2014 18:24:37 -0000

On Wed, Feb 26, 2014 at 06:14:09PM +0000, Tony Finch wrote:

> > As for setting the "AD" bit in the request automatically, it probably
> > should still require an explicit indication of interest from the
> > application or be set via a default option value /etc/resolv.conf.
> Perhaps, though I think the AD flag is pretty benign.

I think it requires EDNS0, but if that is already set, perhaps
turning on AD by default is harmless.  This specific detail is
perhaps more of a "dnsop" than "dane" question.

By the way I just noticed that
does not define the interaction of DNSSEC with:

    getdns_return_t getdns_context_set_append_name(
	getdns_context *context,
	getdns_append_name_t value );

    Specifies whether to append a suffix to the query string before
    the API starts resolving a name. The value is


    This controls whether or not to append the suffix given by

Name appending breaks DNSSEC when any of the resulting zones are
insecure and are tried before ultimately secure zones.  The validity
of a request for a secure response for an under-specified query is
IMHO questionable.