In message <[email protected]>, Stephane Bortzmey er writes: > The resolver on the IETF NAT64 network at the Royal York hotel in > Toronto sets the AD bit when the zone is signed, even when we ask it > about a AAAA record... which does not exist in the zone. > > I checked the RFC on DNS64, RFC 6147 (specially section 3). The IETF > resolver is "security-aware" and "validating". RFC 6147 says "the > resolver should also set the Authentic Data (AD) bit on the response" > For me, it seems obvious for me that it is true only if the data has > been actually validated, which is not possible for the synthetized > AAAA record. Do I read the RFC correctly?
AD=1 indicated that the A record validated as secure and that the non existance of the AAAA also validated as secure. As with all uses of AD you need to know the validator's policy before trusting AD=1. There are still broken nameservers that just reflect back the request's AD state. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
