Re: [DNSOP] AD + CD bits in query?
Mark Andrews <marka@isc.org> Mon, 25 June 2018 21:12 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63790130E5E for <dnsop@ietfa.amsl.com>; Mon, 25 Jun 2018 14:12:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4B2J4WOVNrts for <dnsop@ietfa.amsl.com>; Mon, 25 Jun 2018 14:12:53 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7203F130E58 for <dnsop@ietf.org>; Mon, 25 Jun 2018 14:12:53 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 592663AB03B; Mon, 25 Jun 2018 21:12:53 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 27A19160043; Mon, 25 Jun 2018 21:12:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0B4D816006C; Mon, 25 Jun 2018 21:12:53 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wRRVWqSlLfF3; Mon, 25 Jun 2018 21:12:52 +0000 (UTC)
Received: from [172.30.42.89] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id A7E78160043; Mon, 25 Jun 2018 21:12:52 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Mark Andrews <marka@isc.org>
X-Mailer: iPhone Mail (15F79)
In-Reply-To: <13af9e62-9288-9ebd-594b-bf3d17e8fefd@nic.cz>
Date: Tue, 26 Jun 2018 07:12:49 +1000
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4F65CD99-1E7B-40FA-AA73-C5A189318185@isc.org>
References: <13af9e62-9288-9ebd-594b-bf3d17e8fefd@nic.cz>
To: Petr Špaček <petr.spacek@nic.cz>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/c_9FWnrFH0Sht7I3Rhnle7P6mg0>
Subject: Re: [DNSOP] AD + CD bits in query?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2018 21:12:55 -0000
What is fuzzy? AD (and DO) says set the AD bit if the appropriate rrsets have all been validated as secure. CD says if you recurse to answer this query do not validate the answer. There is no you must recurse to answer this query or you must ignore previous validation results if CD is set. The two bits are not mutually exclusive. The two bits do not modify the behaviour of the other. If the conditions for setting AD in the response are met then it should be set. -- Mark Andrews > On 25 Jun 2018, at 23:23, Petr Špaček <petr.spacek@nic.cz> wrote: > > Hello dnsop, > > it seems to me that recursive resolver behavior for queries with AD + CD > bits set at the same time is a bit fuzzy and I want to check what > opinions WG participants have: > > My understanding of > https://tools.ietf.org/html/rfc6840#section-5.8 > https://tools.ietf.org/html/rfc4035#section-3.2.3 > is that answer to query with `AD + CD` can have AD set if the answer is > comming from from resolver's cache (assuming the answer was stored into > cache while processing query *without* CD bit set). > > What do you think? > Do you see any operational impact if the AD is OR is not set in answers > with CD set? > > Thanks. > > -- > Petr Špaček @ CZ.NIC > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] AD + CD bits in query? Petr Špaček
- Re: [DNSOP] AD + CD bits in query? Mark Andrews
- [DNSOP] AD + CD bits in query? Petr Špaček