[Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

Still broken. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 9.04 Release:9.04 Codename: jaunty -- Bind9 (8.04) not returning 'ad' flag when dnssec is enabled https://bugs.launchpad.net/bugs/242956 You received this bug notification

[Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

Still broken. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 9.04 Release:9.04 Codename: jaunty -- Bind9 (8.04) not returning 'ad' flag when dnssec is enabled https://bugs.launchpad.net/bugs/242956 You received this bug notification

[Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

It would be very cool if someone could get the AD bit parsing done in the resolver library before the next release. I believe this is the only thing stopping us from using DNSSEC as outlined above. -- Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

[Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

It would be very cool if someone could get the AD bit parsing done in the resolver library before the next release. I believe this is the only thing stopping us from using DNSSEC as outlined above. -- Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

[Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

Moving this issue. When options edns0 is turned on (usually in /etc/resolv.conf), ssh doesn't see it, and fails to request a DNSSEC response, which in turn leads to SSHFP records being considered insecure. ** Changed in: openssh (Ubuntu) Sourcepackagename: bind9 = openssh Assignee: LaMont

[Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It also sets an EDNS flag bit in queries to indicate that it wishes to receive DNSSEC responses; this flag bit usage is not yet standardized, but we hope it will be. -- Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

[Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It also sets an EDNS flag bit in queries to indicate that it wishes to receive DNSSEC responses; this flag bit usage is not yet standardized, but we hope it will be. -- Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

Re: [Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

Thanks for your response. What you're seeing here is that the AD bit was redefined here: http://www.ietf.org/rfc/rfc3655.txt That is why options edns0 is defined, so that the client is forced to ask for the AD bit. Who do you suggest I talk to about this? Thanks, -- Bryan Buecking

Re: [Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

Thanks for your response. What you're seeing here is that the AD bit was redefined here: http://www.ietf.org/rfc/rfc3655.txt That is why options edns0 is defined, so that the client is forced to ask for the AD bit. Who do you suggest I talk to about this? Thanks, -- Bryan Buecking

[Bug 242956] [NEW] Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

Public bug reported: Binary package hint: bind9 % lsb_release -rd Description:Ubuntu 8.04 Release:8.04 % apt-cache policy bind9 bind9: Installed: 1:9.4.2-10 Candidate: 1:9.4.2-10 Version table: *** 1:9.4.2-10 0 500 http://ubuntu-ashisuto.ubuntulinux.jp hardy/main

[Bug 242956] [NEW] Bind9 (8.04) not returning 'ad' flag when dnssec is enabled

Public bug reported: Binary package hint: bind9 % lsb_release -rd Description:Ubuntu 8.04 Release:8.04 % apt-cache policy bind9 bind9: Installed: 1:9.4.2-10 Candidate: 1:9.4.2-10 Version table: *** 1:9.4.2-10 0 500 http://ubuntu-ashisuto.ubuntulinux.jp hardy/main