Re: [dnsext] AD bit
Alfred Hönes <ah@TR-Sys.de> Thu, 08 March 2012 15:33 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2396F21F877D; Thu, 8 Mar 2012 07:33:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1331220804; bh=DE9iHwqxGrKfz+KXA14/B1j78BgFE4psLJvUhoqi+ho=; h=From:Message-Id:To:Date:Mime-Version:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=Bf6HV0NFQ1iOugmdUGJedIySQ3G/QiOn6dmuA1GtLjUzKfez7tvh07EZmIP34m7N0 guFgW1CmBtmfyb5RLDClFobaD8Kiuz3+lZejEEjxS7/niso7G8XLQMVoEGLK89oPIR H0DKvb+INVZyqSI4NU9/3ujeYkI4NsJiGCoJBASg=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67EFE21F877D for <dnsext@ietfa.amsl.com>; Thu, 8 Mar 2012 07:33:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.425
X-Spam-Level:
X-Spam-Status: No, score=-98.425 tagged_above=-999 required=5 tests=[AWL=0.324, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yQWwbiQv3OnV for <dnsext@ietfa.amsl.com>; Thu, 8 Mar 2012 07:33:21 -0800 (PST)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by ietfa.amsl.com (Postfix) with ESMTP id AB91F21F8762 for <dnsext@ietf.org>; Thu, 8 Mar 2012 07:33:17 -0800 (PST)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA143780715; Thu, 8 Mar 2012 16:31:55 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id QAA22801; Thu, 8 Mar 2012 16:31:53 +0100 (MEZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <201203081531.QAA22801@TR-Sys.de>
To: dnsext@ietf.org
Date: Thu, 08 Mar 2012 16:31:53 +0100
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Subject: Re: [dnsext] AD bit
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
At Mon, 05 Mar 2012 09:11:52 +1100, Mark Andrews wrote: > In message <20120304205347.GA17454 at miek.nl>, Miek Gieben writes: >> Hello, >> >> As RFC 4035 obsoletes both RFC 3655 and RFC 2535, what document should >> be used to find the definition of the AD and CD bits in the message header? >> >> Regards, >> >> -- >> Miek Gieben > > Currently RFC 2535. I don't think so. RFCs 4033 and 4035 have obsoleted RFCs 2535 and 3655. We should not give citations of obsolete documents as normative sources. And we _do_ have such sources in this case: Section 3 of RFC 4033 says (emphasis added): |3. Services Provided by DNS Security | | The Domain Name System (DNS) security extensions provide origin | authentication and integrity assurance services for DNS data, | including mechanisms for authenticated denial of existence of DNS | data. These mechanisms are described below. | |> These mechanisms require changes to the DNS protocol. DNSSEC adds | four new resource record types: Resource Record Signature (RRSIG), | DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure |> (NSEC). It also adds two new message header bits: Checking Disabled |> (CD) and Authenticated Data (AD). In order to support the larger DNS | message sizes that result from adding the DNSSEC RRs, DNSSEC also | requires EDNS0 support ([RFC2671]). Finally, DNSSEC requires support | for the DNSSEC OK (DO) EDNS header bit ([RFC3225]) so that a | security-aware resolver can indicate in its queries that it wishes to | receive DNSSEC RRs in response messages. | | [...] RFCs 4033-4035 (+ some more) are the current DNSSEC specifications, and this should make clear that this document set is authoritative for these bits now. RFC 4035 contains copious text in multiple sections specifying the AD and CD bits, in particular Sections 3.1.6, 3.2.2, 3.2.3, 4.6, 4.9.2, 4.9.3. Furthermore, RFC 4035 contains (emphasis added): |6. IANA Considerations | | [RFC4034] contains a review of the IANA considerations introduced by | DNSSEC. The following are additional IANA considerations discussed | in this document: | |> [RFC2535] reserved the CD and AD bits in the message header. The |> meaning of the AD bit was redefined in [RFC3655], and the meaning of |> both the CD and AD bit are restated in this document. No new bits in |> the DNS message header are defined in this document. | | [...] I guess this qualifies for quoting RFC 4035 (or RFCs 4033 and 4035) as the authoritative definition of these bits. The IANA assigned placement information for both bits has been maintained in RFC 6195 and its predecessors as well. Kind regards, Alfred. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+ _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] AD bit Miek Gieben
- Re: [dnsext] AD bit Mark Andrews
- Re: [dnsext] AD bit Alfred Hönes
- Re: [dnsext] AD bit Mark Andrews