Re: Question about TSIG, AD/AA, and AXFR

Jakob Schlyter <jakob@crt.se> Tue, 17 July 2001 20:47 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Jakob Schlyter <jakob@crt.se>
To: Edward Lewis <lewis@tislabs.com>
Cc: namedroppers@ops.ietf.org
Subject: Re: Question about TSIG, AD/AA, and AXFR
In-Reply-To: <v0313030eb779efd43e81@[208.58.212.166]>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15MaoL-00041z-00@psg.com>
Date: Tue, 17 Jul 2001 12:47:13 -0700
Content-Transfer-Encoding: 7bit

On Tue, 17 Jul 2001, Edward Lewis wrote:

> From you message it sounds like no one should trust data with the AA bit,
> as this means the authentication has not been checked.  This is an ironic
> conclusion, as we've been assigning more credibility to AA'd data.  (Once
> again, the credibility vs. authenticated issue arises.)

the nameserver should never set the AD bit without actually verifying the
data. some earlier version of bind did set AD if the server itself were
authorative. I belive this is wrong - data shouldn't be checked on load,
it should be checked on query.

I think the AA-bit could be trustworthy for very simple resolvers that,
for some reason, do trust their local resolver.

	jakob

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Re: Question about TSIG, AD/AA, and AXFR Edward Lewis
Re: Question about TSIG, AD/AA, and AXFR Jakob Schlyter
Re: Question about TSIG, AD/AA, and AXFR Edward Lewis
Re: Question about TSIG, AD/AA, and AXFR Jakob Schlyter
Re: Question about TSIG, AD/AA, and AXFR Yuji Kamite