IETF Logo Mail Archive

Re: [DNSOP] Setting the AD bit in the query changes whether you get the AD bit in the response?

"Paul Hoffman" <paul.hoffman@vpnc.org> Sun, 07 February 2016 00:56 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69EB41A88B1 for <dnsop@ietfa.amsl.com>; Sat, 6 Feb 2016 16:56:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qg7e9sDRCJ9D for <dnsop@ietfa.amsl.com>; Sat, 6 Feb 2016 16:56:25 -0800 (PST)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E99CC1A8888 for <dnsop@ietf.org>; Sat, 6 Feb 2016 16:56:24 -0800 (PST)
Received: from [10.32.60.31] (50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110]) (authenticated bits=0) by hoffman.proper.com (8.15.2/8.14.9) with ESMTPSA id u170uMk0005935 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 6 Feb 2016 17:56:23 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110] claimed to be [10.32.60.31]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Shumon Huque <shuque@gmail.com>
Date: Sat, 06 Feb 2016 16:56:22 -0800
Message-ID: <669546BB-5F77-44AE-8209-7844A85485A9@vpnc.org>
In-Reply-To: <CAHPuVdUX3jDU0ba8v-hT8fwYVTmgxQEd+bGiaHK0T4gnFGmuHQ@mail.gmail.com>
References: <DA4AEF28-00FD-4E8A-AB7C-9C0AFE6485ED@vpnc.org> <CAHPuVdUX3jDU0ba8v-hT8fwYVTmgxQEd+bGiaHK0T4gnFGmuHQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Ic1OWceg8ri2SwiLkhM2nv52uv4>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Setting the AD bit in the query changes whether you get the AD bit in the response?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2016 00:56:26 -0000

On 6 Feb 2016, at 16:41, Shumon Huque wrote:

> On Sat, Feb 6, 2016 at 7:36 PM, Paul Hoffman <paul.hoffman@vpnc.org> 
> wrote:
>
>> Greetings again. While doing some testing, I came across something 
>> that is
>> both consistent across implementations but that I do not find in RFC 
>> 4033,
>> 4034, or 4035. If a query for a properly-signed zone is sent to
>> BIND-as-recursor, Unbound, or Google DNS, and the AD bit in the 
>> request is
>> set to 1, the answer returned has the AD bit set to 1. However, if 
>> the
>> query has the AD bit set to 0, the response always has the AD bit set 
>> to 0,
>> even though the requested zone is properly signed.
>>
>> This happens regardless of whether or not there is an EDNS0 extension 
>> with
>> the DO bit set to 1.
>>
>> I can't find anywhere in 403[3:5] that says that the AD bit in the 
>> request
>> means anything. Did I miss that? Or is it specified in a different 
>> RFC?
>>
>> --Paul Hoffman
>>
>
> Paul,
>
> https://tools.ietf.org/html/rfc6840#section-5.7

Thanks! I knew it was somewhere, but I had forgotten it is there.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email