Peter van Dijk <[email protected]> wrote: > > But Unbound is right. The NSEC3 that covers the name you are asking for > has the opt-out flag set, and hence the denial is insecure (but not > bogus). Setting AD is, to my knowledge, not valid here.
I think you are right, though it can be a bit difficult to know when to set AD :-) I think the most pertinent text in RFC 5155 is in section 12.2 Opt-Out Considerations: Note that with or without Opt-Out, an insecure delegation may be undetectably altered by an attacker. Because of this, the primary difference in security when using Opt-Out is the loss of the ability to prove the existence or nonexistence of an insecure delegation within the span of an Opt-Out NSEC3 RR. In particular, this means that a malicious entity may be able to insert or delete RRs with unsigned names. These RRs are normally NS RRs, but this also includes signed wildcard expansions (while the wildcard RR itself is signed, its expanded name is an unsigned name). Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
