The resolver on the IETF NAT64 network at the Royal York hotel in
Toronto sets the AD bit when the zone is signed, even when we ask it
about a AAAA record... which does not exist in the zone.
I checked the RFC on DNS64, RFC 6147 (specially section 3). The IETF
resolver is "security-aware" and "validating". RFC 6147 says "the
resolver should also set the Authentic Data (AD) bit on the response"
For me, it seems obvious for me that it is true only if the data has
been actually validated, which is not possible for the synthetized
AAAA record. Do I read the RFC correctly?
Unsigned domain, AD is absent, which is expected:
% dig AAAA twitter.com
; <<>> DiG 9.9.5-3-Ubuntu <<>> AAAA twitter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30741
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;twitter.com. IN AAAA
;; ANSWER SECTION:
twitter.com. 30 IN AAAA 64:ff9b::c710:9c46
twitter.com. 30 IN AAAA 64:ff9b::c710:9c66
twitter.com. 30 IN AAAA 64:ff9b::c710:9cc6
twitter.com. 30 IN AAAA 64:ff9b::c710:9c06
;; AUTHORITY SECTION:
twitter.com. 69830 IN NS ns4.p34.dynect.net.
twitter.com. 69830 IN NS ns2.p34.dynect.net.
twitter.com. 69830 IN NS ns1.p34.dynect.net.
twitter.com. 69830 IN NS ns3.p34.dynect.net.
;; Query time: 77 msec
;; SERVER: 2001:67c:370:229::7#53(2001:67c:370:229::7)
;; WHEN: Sun Jul 20 14:24:49 EDT 2014
;; MSG SIZE rcvd: 238
Signed domain, AAAA exists, AD is normal and expected
% dig AAAA www.bortzmeyer.org
; <<>> DiG 9.9.5-3-Ubuntu <<>> AAAA www.bortzmeyer.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26968
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 10, ADDITIONAL: 18
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.bortzmeyer.org. IN AAAA
;; ANSWER SECTION:
www.bortzmeyer.org. 85680 IN AAAA 2001:4b98:dc0:41:216:3eff:fece:1902
www.bortzmeyer.org. 85680 IN AAAA 2605:4500:2:245b::42
www.bortzmeyer.org. 85680 IN RRSIG AAAA 8 3 86400 (
20140727115501 20140707131631 37573
bortzmeyer.org.
SI4NmYIiKnEV2ASrOmxcKv7HHaOIzmfCkB9Qv0CFv5SK
0B7dC6FBBdFJRycypvw9ZrTBIoNpZG68012RVJGV+SsL
2q8TIOUXr1iZ7UhtrReE65xNsuN6Q/2tuta7o3cb4Mjt
dk9nuIA9Vy7nceodACJ4UNxck5G993/Hsi7PB+k= )
;; AUTHORITY SECTION:
bortzmeyer.org. 73467 IN NS ns1.absolight.net.
bortzmeyer.org. 73467 IN NS ns1.bortzmeyer.org.
bortzmeyer.org. 73467 IN NS aede.fulax.net.
bortzmeyer.org. 73467 IN NS ns2.bortzmeyer.org.
bortzmeyer.org. 73467 IN NS ns4.absolight.net.
bortzmeyer.org. 73467 IN NS ns2.absolight.net.
bortzmeyer.org. 73467 IN NS ns3.absolight.net.
bortzmeyer.org. 73467 IN NS ns3.bortzmeyer.org.
bortzmeyer.org. 73467 IN NS ns.eu.org.
bortzmeyer.org. 73467 IN RRSIG NS 8 2 86400 (
20140728212355 20140708191645 37573
bortzmeyer.org.
ZQZkadwWAiu3VCqKMNBWB3Ra65C0wC9oFD0PjQIUStaH
D30ZyYTqauk/5H5svkR0gvbi0vuBbF9PGQblx3OziPHL
jxmcGoJoYkwlVMAtLAKzvsNXwFg0x2HtmvxtvBL0Hf5V
cT8pUcszYLENyh2fG6pBHWZfCSPD8lcGavzzPEc= )
;; ADDITIONAL SECTION:
ns.eu.org. 73467 IN A 93.19.226.142
ns1.bortzmeyer.org. 73467 IN A 204.62.14.153
ns1.bortzmeyer.org. 73467 IN AAAA 2605:4500:2:245b::42
ns2.bortzmeyer.org. 73467 IN A 106.186.29.14
ns2.bortzmeyer.org. 73467 IN AAAA 2400:8900::f03c:91ff:fe69:60d3
ns3.bortzmeyer.org. 73467 IN A 217.70.190.232
ns3.bortzmeyer.org. 85697 IN AAAA 2001:4b98:dc0:41:216:3eff:fece:1902
aede.fulax.net. 159867 IN A 95.130.11.7
aede.fulax.net. 159867 IN AAAA 2a02:a80:0:3007::aede
ns1.bortzmeyer.org. 85841 IN RRSIG A 8 3 86400 (
20140729101627 20140708191645 37573
bortzmeyer.org.
SxT98R9cr24M4BMY1jWogMluZNpHTYRXFOFPej2XMeX6
FA/dqDJPSFYxVYP8CIzuAMCyU+K+073OcqoNR1kfbw+M
NGLolwbu0RZjXpVfKpm9U4RdSwUYKt6cdmBnV2MtPG5N
gk65GbWmRJy2klD2HmC0ldcY8h3Xl9q0dzqup2s= )
ns1.bortzmeyer.org. 85841 IN RRSIG AAAA 8 3 86400 (
20140728173717 20140709111659 37573
bortzmeyer.org.
U2eHZ6zJMNhMstuQ+uPyemGwga8GtdbmTk+XfFEk4l8F
WqcdUT9LUMtqpdu8RppGS5QydIEmTRmf9zFyEmvfV2Dg
3bJs66I+LkWiq+9TWXRudDScMVmJWs5hYkiO+OXIpIsZ
vai/nEDylgfwPNoumk+lxopF8JCjh/OGsCzoaas= )
ns2.bortzmeyer.org. 85841 IN RRSIG A 8 3 86400 (
20140731181716 20140711111734 37573
bortzmeyer.org.
MDpYmr34EhU59brevitOxd8rXbzqEdiEIUH6PMnniK63
jv5xyJRngx43g3t+8gNlKxsf975oCn4A5miR+oYFB06y
kgToRxzqBhlZ7RtSMWdHpwRBWTnp0IhyQNvEDG0zP+pQ
ZatWTN9C0hoXSP+kL4Uz9OjiTNXGKzbi5L+f1HI= )
ns2.bortzmeyer.org. 85841 IN RRSIG AAAA 8 3 86400 (
20140729010929 20140708131643 37573
bortzmeyer.org.
mAl9P4z99+3ZHpij1FICjwqijIA8AUnfvrWsuswFgdaL
jX5SchI0D6LqtbZ+g+y3jQzouOx4dXVQALOVUuAW5RZ3
2vQg5Shwgsy0ETOtuC8uFq+GeMKZSUSeQkPG1QVKQQwA
FZ/hAfq5APQor40S7sacYiTtZjULgil+HXMPeQ8= )
ns3.bortzmeyer.org. 85841 IN RRSIG A 8 3 86400 (
20140728193532 20140709111659 37573
bortzmeyer.org.
IY20EL6lDm3n3o2zdWRoWoc8MHuAeL9LMpRcWTYc2s6f
EuWO87R7nQ+X2cFPLvwWyT/LlFXxBwkliSky5aeuosoC
XDBA9oVrQ1bJD45XPRdg9CJD4b5NcffKTNHhc4jV7QXE
L07PgUKFd5meh1JWEz1YJouNqQIwma3d9lyF14o= )
ns3.bortzmeyer.org. 85841 IN RRSIG AAAA 8 3 86400 (
20140730121734 20140710111717 37573
bortzmeyer.org.
i7wSi17o76VSHrJtxNcwRlggPErJFayNM03ZdsZKwczX
BxoSvda64x6Hnr4b6NK6G8B6nPPx8OvOdnLSmnKWCw2a
YVNF5VbWU6k9m4a0CXOIlArLJCJXXCuAhAdyq24ezumC
ARAKk/j60u8Sy+K58+SmHL8b5/xZFOuNdMSR/JU= )
aede.fulax.net. 73468 IN RRSIG A 8 3 86400 (
20140812033312 20140713075005 10366 fulax.net.
PfSvXXm9d7xl/Fvdk4VGVqhdEDj7D3bZgWLhN6PU533/
vDSWo/3Tm/UHiY1WhdTNdj6ayhdiGZevjcz+1nm7ox5J
+RHGa/Jh8s+G6pF5wgU5sy+FkCptw42+RlLrt5AzLBH7
oEDJ3DxR4nvJQuozn4SyWTIlXYWXU/wCUuuO52M= )
aede.fulax.net. 73468 IN RRSIG AAAA 8 3 86400 (
20140813003604 20140714135011 10366 fulax.net.
s5RkhYUMwMTOpm9W5kvEJa3Cl7/Uh+SUbbMCLRvaGAj9
WVm4sdN1ZBxZSMLloQwf3HbKutrqi76EK5s+f01C6UNC
XZJ/f1QIBPA3qQBY7k/J1mSclpyj/f0nE2Nx0LVs6hSz
GbLXFQ2UkBlQAI/cpviUSNv8yBDNpsB3YPzl20k= )
;; Query time: 101 msec
;; SERVER: 2001:67c:370:229::7#53(2001:67c:370:229::7)
;; WHEN: Sun Jul 20 14:25:12 EDT 2014
;; MSG SIZE rcvd: 2209
Signed domain, no AAAA, there is a surprising (for me) AD:
% dig AAAA tiw.nl
; <<>> DiG 9.9.5-3-Ubuntu <<>> AAAA tiw.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24437
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;tiw.nl. IN AAAA
;; ANSWER SECTION:
tiw.nl. 3214 IN AAAA 64:ff9b::4d5f:fc31
;; Query time: 3 msec
;; SERVER: 2001:67c:370:229::7#53(2001:67c:370:229::7)
;; WHEN: Sun Jul 20 14:25:36 EDT 2014
;; MSG SIZE rcvd: 63
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
