On Mon, Feb 03, 2020 at 07:19:16PM +0900, T.Suzuki wrote: > Something strange... > ~% dig soa nasa.gov @1.1.1.1 +dnssec +noad > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
Yes, it seems that Cloudflare do not return the AD bit when it is not requested, even when the DO bit is set. https://tools.ietf.org/html/rfc6840#section-5.8 Section 3.2.3 of [RFC4035] describes under which conditions a validating resolver should set or clear the AD bit in a response. In order to interoperate with legacy stub resolvers and middleboxes that neither understand nor ignore the AD bit, validating resolvers SHOULD only set the AD bit when a response both meets the conditions listed in Section 3.2.3 of [RFC4035], and the request contained either a set DO bit or a set AD bit. And the other public resolvers to set the AD bit when only the DO bit appears in the query, but is or "how wrong" is CF to not do this? Is this causing an observable issue for some stub resolver that uses the AD bit from a remote source like CF? Is the stub resolver doing DoH or DoT (and authenticating the remote cert chain) to secure the channel? It would be interesting to know whether CF ran into some broken client systems that needed AD off when not directly solicited, all the while sending "DO"? -- Viktor. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
