[DNSOP] Setting the AD bit in the query changes whether you get the AD bit in the response?
"Paul Hoffman" <paul.hoffman@vpnc.org> Sun, 07 February 2016 00:36 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB811A8874 for <dnsop@ietfa.amsl.com>; Sat, 6 Feb 2016 16:36:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.552
X-Spam-Level:
X-Spam-Status: No, score=0.552 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BS9G4lyNVEjh for <dnsop@ietfa.amsl.com>; Sat, 6 Feb 2016 16:36:13 -0800 (PST)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31EE21A8873 for <dnsop@ietf.org>; Sat, 6 Feb 2016 16:36:13 -0800 (PST)
Received: from [10.32.60.31] (50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110]) (authenticated bits=0) by hoffman.proper.com (8.15.2/8.14.9) with ESMTPSA id u170aBSm003225 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Sat, 6 Feb 2016 17:36:12 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110] claimed to be [10.32.60.31]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: dnsop WG <dnsop@ietf.org>
Date: Sat, 06 Feb 2016 16:36:11 -0800
Message-ID: <DA4AEF28-00FD-4E8A-AB7C-9C0AFE6485ED@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/weUc_cD3G11U3IfquVlenEdvSYo>
Subject: [DNSOP] Setting the AD bit in the query changes whether you get the AD bit in the response?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2016 00:36:14 -0000
Greetings again. While doing some testing, I came across something that is both consistent across implementations but that I do not find in RFC 4033, 4034, or 4035. If a query for a properly-signed zone is sent to BIND-as-recursor, Unbound, or Google DNS, and the AD bit in the request is set to 1, the answer returned has the AD bit set to 1. However, if the query has the AD bit set to 0, the response always has the AD bit set to 0, even though the requested zone is properly signed. This happens regardless of whether or not there is an EDNS0 extension with the DO bit set to 1. I can't find anywhere in 403[3:5] that says that the AD bit in the request means anything. Did I miss that? Or is it specified in a different RFC? --Paul Hoffman
- Re: [DNSOP] Setting the AD bit in the query chang… Dick Franks
- Re: [DNSOP] Setting the AD bit in the query chang… Shumon Huque
- Re: [DNSOP] Setting the AD bit in the query chang… Dick Franks
- Re: [DNSOP] Setting the AD bit in the query chang… Paul Hoffman
- [DNSOP] Setting the AD bit in the query changes w… Paul Hoffman