> > As far as I know, DNSSEC requires the validator to validate every RRset in > > the answer and authority sections. It also requires the validator to > > verify that there is proof of NXDOMAIN or NODATA. However, there doesn't > > seem any requirement that the validator removes unwanted data. > > There is no such requirements. You may be thinking of setting AD=1 > where the validating resolver is asserting that every RRset in the > ANSWER and AUTHORITY sections of the response it is producing has > been validated as secure. > > Note AD=1 is only supposed to be accepted if you trust the resolver > and can verify that the answer as not been tampered with.
My interpretation is that whether or not a validator returns SERVFAIL only depends on the CD flag, not on the AD flag. So my validator performs the exact same checks whether AD is set or not (and doesn't check when CD is set). The only difference is that at the end if the reply is considered DNSSEC secure and the AD flag was set in the request then the AD flag will be set in the reply. Are there validators that check less when AD is not set? Do they omit checks for NXDOMAIN or NODATA, do they allow extra data without valid signatures? _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
