IETF Logo Mail Archive

Re: [DNSOP] Setting the AD bit in the query changes whether you get the AD bit in the response?

Dick Franks <rwfranks@acm.org> Sun, 07 February 2016 00:57 UTC

Return-Path: <rwfranks@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B1831A898A for <dnsop@ietfa.amsl.com>; Sat, 6 Feb 2016 16:57:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8FwQiIKRvT8 for <dnsop@ietfa.amsl.com>; Sat, 6 Feb 2016 16:57:02 -0800 (PST)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DD551A88E4 for <dnsop@ietf.org>; Sat, 6 Feb 2016 16:57:02 -0800 (PST)
Received: by mail-ig0-x233.google.com with SMTP id y8so9767858igp.0 for <dnsop@ietf.org>; Sat, 06 Feb 2016 16:57:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Iyw041OPtVnKCII+MaY8NzTL4cL/s0vE5T4XJMvN6CI=; b=a/5wc57FI+F1Fz+RGJ7YkyQwfmvdfByFmMExqBCZobEgkchAw4JrdJJrM16nM7SOdq 0L0mimn6b8z+r6MyvAFi0uN2jcLmcwZAqidNG1F7NvhKwZI5q5DBCjlnAfDVKU0hvG68 duS6QjE0TGe2MHqs6iPWpZyJo5o+n/zv3aVaMol7NoEQnLRrLULTLChapIqFrVtyGiji HXyVFeav4ACPKpoFRbN+rOz70GWT+SkofhwDbB0Lg9esswxfPy79WdfPuSzmTygqY5Qy W3XiIYsAllJeUySlU6EY92OVZc4Vn9KAQznCUozr3GSAQVWzJ8DZXJUmDzOii9M1Wn28 DasA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=Iyw041OPtVnKCII+MaY8NzTL4cL/s0vE5T4XJMvN6CI=; b=dOzBirae5jr1ZJTECmB+flyvtYkbjSR2/OBISAbMriHVBAEVNqTesw+O8la/LTfKK8 uwsaJzkmGyEPqZAysNautVkY4dVnUfRHNl2rVMYzHF2frcFGZWputqDH6JpIZgQhiT0t rlrMj2z4Zx+qgF/q+xKvGxFzNjL3mjb5n4xi6qu2ASiV+ZeRP6FMG2tczY8jJQY1orSs OsOdu0TTg4+GvofplRNAZ/neqyF9IHhrSLaIyMQy6Tuqjz43PtkbIk/9e6ybuqwOjt0/ 7rUAy8BlVerbXfjw1YPWcaBfW37b+KLZ85L+Fkv+Zd4xXzwba2H/d6Ntsxjz7lLW+8oJ jY+A==
X-Gm-Message-State: AG10YORjIQp/QNRW+IE7qcTe2v8UdztZ1jktbl0dOdkKVL4P6+8Z3q/7Rc+usLIVNSeB0DNhSN/GR+hOAAAu1Q==
X-Received: by 10.50.119.131 with SMTP id ku3mr16255001igb.1.1454806621556; Sat, 06 Feb 2016 16:57:01 -0800 (PST)
MIME-Version: 1.0
Sender: rwfranks@gmail.com
Received: by 10.64.55.134 with HTTP; Sat, 6 Feb 2016 16:56:22 -0800 (PST)
In-Reply-To: <DA4AEF28-00FD-4E8A-AB7C-9C0AFE6485ED@vpnc.org>
References: <DA4AEF28-00FD-4E8A-AB7C-9C0AFE6485ED@vpnc.org>
From: Dick Franks <rwfranks@acm.org>
Date: Sun, 07 Feb 2016 00:56:22 +0000
X-Google-Sender-Auth: SfF9CgPlBoAZtH37wiTpb3zEx84
Message-ID: <CAKW6Ri4A7ySUwZns024hzRr68L9aaT4BvWvbE8br_X6NL-Q_WQ@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="001a11348b0ae516ee052b238fe6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/GYfVwOlzJmGHLAsmDKSZZW2cJ5s>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Setting the AD bit in the query changes whether you get the AD bit in the response?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2016 00:57:03 -0000

On 7 February 2016 at 00:36, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> Greetings again. While doing some testing, I came across something that is
> both consistent across implementations but that I do not find in RFC 4033,
> 4034, or 4035. If a query for a properly-signed zone is sent to
> BIND-as-recursor, Unbound, or Google DNS, and the AD bit in the request is
> set to 1, the answer returned has the AD bit set to 1. However, if the
> query has the AD bit set to 0, the response always has the AD bit set to 0,
> even though the requested zone is properly signed.
>
> This happens regardless of whether or not there is an EDNS0 extension with
> the DO bit set to 1.
>
> I can't find anywhere in 403[3:5] that says that the AD bit in the request
> means anything. Did I miss that? Or is it specified in a different RFC?
>
> RFC6840

5.7.  Setting the AD Bit on Queries

   The semantics of the Authentic Data (AD) bit in the query were
   previously undefined.  Section 4.6 of [RFC4035] instructed resolvers
   to always clear the AD bit when composing queries.

   This document defines setting the AD bit in a query as a signal
   indicating that the requester understands and is interested in the
   value of the AD bit in the response.  This allows a requester to
   indicate that it understands the AD bit without also requesting
   DNSSEC data via the DO bit.
5.8.  Setting the AD Bit on Replies

   Section 3.2.3 of [RFC4035] describes under which conditions a
   validating resolver should set or clear the AD bit in a response.  In
   order to interoperate with legacy stub resolvers and middleboxes that
   neither understand nor ignore the AD bit, validating resolvers SHOULD
   only set the AD bit when a response both meets the conditions listed
   in Section 3.2.3 of [RFC4035], and the request contained either a set
   DO bit or a set AD bit.


--

Dick Franks

v2.23.0 | Report a Bug | By Email