useless bit is useless. Doge at 11. keep sciensing the DNS. apply more bits!
On Sun, Jul 20, 2014 at 9:35 PM, Mark Andrews <[email protected]> wrote: > > In message <[email protected]>, Stephane > Bortzmey > er writes: > > The resolver on the IETF NAT64 network at the Royal York hotel in > > Toronto sets the AD bit when the zone is signed, even when we ask it > > about a AAAA record... which does not exist in the zone. > > > > I checked the RFC on DNS64, RFC 6147 (specially section 3). The IETF > > resolver is "security-aware" and "validating". RFC 6147 says "the > > resolver should also set the Authentic Data (AD) bit on the response" > > For me, it seems obvious for me that it is true only if the data has > > been actually validated, which is not possible for the synthetized > > AAAA record. Do I read the RFC correctly? > > AD=1 indicated that the A record validated as secure and that the > non existance of the AAAA also validated as secure. As with all > uses of AD you need to know the validator's policy before trusting > AD=1. There are still broken nameservers that just reflect back > the request's AD state. > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
