> On 16 Jan 2024, at 10:13, Paul Wouters <p...@nohats.ca> wrote: > > On Mon, 15 Jan 2024, Warren Kumari wrote: > >> dig +nocookie +edns=0 +noad +norec +dnssec soa $zone @$server >> expect: status: NOERROR >> expect: the SOA record to be present in the answer section >> expect: an OPT record to be present in the additional section >> expect: DO=1 to be present if an RRSIG is in the response >> expect: EDNS Version 0 in response >> expect: flag: aa to be present >> The actual output from dig goeth thus: >> dig +nocookie +edns=0 +noad +norec +dnssec soa ietf.org >> @jill.ns.cloudflare.com. >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20613 >> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 1232 >> Seeing as the document says you should "expect: flag: aa to be present", it >> does seem like it would be better if it also said: "expect: flag: do to be >> present if an RRSIG is in the response", as that is more inline with what >> someone writing a test would see. > > It's not really in the flags: section, but in the EDNS0 flags section. > > It should already really use the plural for flag, eg: expect: flags: to > contain "aa". > > What's more confusing here I think is the example dig command using > "@$server". I think what was meant was an authoritative server, but the > errata > reporter ran it against a public resolver (an instance of 1.1.1.1), > which returned him a Refused (when I try that against 1.1.1. I get > ServFail) > > Warren ran his example of ietd.org against an authoritative server, > because he knew using "no recursion" at a recursor makes no sense :) > >> This seems like a fairly simple clarification / place where things could >> have been worded better, but I don't think that it rises to the level of a >> "Verified" errata, but it's also not wrong, so my proposed resolution is: >> Accept the errata as Editorial, Hold for Document Update. >> ("Hold for Document Update - The erratum is not a necessary update to the >> RFC. However, any future update of the document might consider it and >> determine >> whether it merits including in an update." — from: >> https://www.ietf.org/about/groups/iesg/statements/processing-errata-ietf-stream/ >> ) >> Can anyone not live with this? Please speak up by Jan 29th, otherwise I'll >> do what's above. > > That seems fine with me. Maybe mention that "@$server" refers to an > authoritative server, and not a recursive server, as well ?
See section 8 > > Paul > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop