Hello Stephane, On 03 Sep 2014, at 9:00 , Stephane Bortzmeyer <[email protected]> wrote:
> BIND validates "A nimportequoi.otsuka" and yields an answer with AD bit > set. > > Unbound gives back the answer but without the AD bit. > > [Try it yourself, 'dig @unbound.odvr.dns-oarc.net A > nimportequoi.otsuka' and 'dig @bind.odvr.dns-oarc.net A nimportequoi.otsuka'] > > In some cases (difficult to pinpoint, depending on the resolver's > state), both BIND and Unbound return SERVFAIL. > > Who's right? Haven’t seen SERVFAILs from either, so can’t answer about those. But Unbound is right. The NSEC3 that covers the name you are asking for has the opt-out flag set, and hence the denial is insecure (but not bogus). Setting AD is, to my knowledge, not valid here. > PS: dnsviz claims that names like eb2dz5xm4s.otsuka are "secure, > non-existent" while they elicit an answer. This is also normal. For a wildcard to be allowed to use for synthesis, the actual name needs to be proven non-existent in the zone. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
