Re: [DNSOP] Setting the AD bit in the query changes whether you get the AD bit in the response?
Dick Franks <rwfranks@gmail.com> Sun, 07 February 2016 00:53 UTC
Return-Path: <rwfranks@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4B381A8888 for <dnsop@ietfa.amsl.com>; Sat, 6 Feb 2016 16:53:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbENfLBOZOKp for <dnsop@ietfa.amsl.com>; Sat, 6 Feb 2016 16:53:39 -0800 (PST)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F4871A8887 for <dnsop@ietf.org>; Sat, 6 Feb 2016 16:53:39 -0800 (PST)
Received: by mail-io0-x234.google.com with SMTP id f81so164041063iof.0 for <dnsop@ietf.org>; Sat, 06 Feb 2016 16:53:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=ZuXPPzrhCoB7X2pjTG4kkOhvjE/5VvKk9Q78El/RjUo=; b=EHsb4qA7X1ZtlsJkhhIdo200682Ok2mfyXDDccYlGX88eBPB+7Hh/WsDrxP7iTrJCu hrDkA9zGN/ypBfu8X9ZjYUf6hjNnRWUDfnnrq+4x4kSxPFbuaKlKLq/LsIjLWclRUm4X gr93Yi3CTkb41WE7J5TcThPmm2xyW1i3DM+/5GKVpUWzaA2c3Th6vvLAWErKn6mAROU1 lJAs+qlQ741rfPdHJ8iZkjxRkIiMK2aTU6GVoMKDtalXtp+C/2gzMDaftqSwxDuWZeEw vWIkr5UeIlcTRbhl2QjrzaMXnxSD/heWviZ9JzKvK4WUE84oDw1sjJRe1iHgONrPoagQ RMrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ZuXPPzrhCoB7X2pjTG4kkOhvjE/5VvKk9Q78El/RjUo=; b=kZCUrwT5vwb6seKJH0yzsypz2W0185iHPx4aqQHWb9TtH5kJtAenV6KKvdkOeS5gFE JKH/q7oucwpl6kTrAdW6yNKfmbHX3Nig+vCLv5fWecjk6GLxWttImgd9jFZ0bs4fLHG+ wEkRa9+3q+9inHEqseLx3MZ5Ou2liCqD3nbA4r1eQUaNbXV3ewC2cSZLft3Qml9HaqQ/ efuQq263Y1AL7r+DWa03y7+8mgQYBxSvJyYc405v+dRCPMovX0wRjWEZ8gULdMeGSgyi VUjDLByGGneIOWXvsNWRc1WnBYTGQQW6G5W0qMrV04VJH6INGzJIF6YFEeuJkO8YDKGO Tx/Q==
X-Gm-Message-State: AG10YORdwyV5ibnLHu+7S9R6WPGk6Cz9vVf5blZRQ1LkMQCxb1H2PEeuKwoa9DAw6lX0K98iXBDzZhWkNmiDNg==
X-Received: by 10.107.132.12 with SMTP id g12mr1502809iod.145.1454806418899; Sat, 06 Feb 2016 16:53:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.55.134 with HTTP; Sat, 6 Feb 2016 16:52:59 -0800 (PST)
In-Reply-To: <DA4AEF28-00FD-4E8A-AB7C-9C0AFE6485ED@vpnc.org>
References: <DA4AEF28-00FD-4E8A-AB7C-9C0AFE6485ED@vpnc.org>
From: Dick Franks <rwfranks@gmail.com>
Date: Sun, 07 Feb 2016 00:52:59 +0000
Message-ID: <CAKW6Ri7b_5h-HH2kfWBW1-jofteMyc1scafe=7CJBBMCVkVB9g@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="001a113ece60d0c60d052b23835e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/UYioHT8vteXfnCBVcSuzwJAkOcY>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Setting the AD bit in the query changes whether you get the AD bit in the response?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2016 00:53:41 -0000
On 7 February 2016 at 00:36, Paul Hoffman <paul.hoffman@vpnc.org> wrote: [snip] > I can't find anywhere in 403[3:5] that says that the AD bit in the request > means anything. Did I miss that? Or is it specified in a different RFC? > > RFC6840 5.7. Setting the AD Bit on Queries The semantics of the Authentic Data (AD) bit in the query were previously undefined. Section 4.6 of [RFC4035] instructed resolvers to always clear the AD bit when composing queries. This document defines setting the AD bit in a query as a signal indicating that the requester understands and is interested in the value of the AD bit in the response. This allows a requester to indicate that it understands the AD bit without also requesting DNSSEC data via the DO bit. 5.8. Setting the AD Bit on Replies Section 3.2.3 of [RFC4035] describes under which conditions a validating resolver should set or clear the AD bit in a response. In order to interoperate with legacy stub resolvers and middleboxes that neither understand nor ignore the AD bit, validating resolvers SHOULD only set the AD bit when a response both meets the conditions listed in Section 3.2.3 of [RFC4035], and the request contained either a set DO bit or a set AD bit. -- Dick Franks
- Re: [DNSOP] Setting the AD bit in the query chang… Dick Franks
- Re: [DNSOP] Setting the AD bit in the query chang… Shumon Huque
- Re: [DNSOP] Setting the AD bit in the query chang… Dick Franks
- Re: [DNSOP] Setting the AD bit in the query chang… Paul Hoffman
- [DNSOP] Setting the AD bit in the query changes w… Paul Hoffman