-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane,
On 03/01/2011 09:18 AM, Stephane Bortzmeyer wrote: >> Well, since below the optout stuff is not signed, it is true that >> the NXDOMAIN is not fully secure, so I support the notion that >> unbound should not give an AD flag. > > Do you plan to change the behaviour of Unbound? I ask it because we > are developing monitoring tools and they rely on the presence/absence > of the AD bit, that's why we were disturbed by the discrepancy between > BIND and Unbound. It seems to me that underneath an optout-span, stuff is insecure, and thus so must be the NXDOMAIN case we have here. So I am inclined to change unbound. But I am also looking for guidance because of questions about 5155. >> Example B.1 in RFC5155 is wrong, and it should be changed > > I let you report it at <http://www.rfc-editor.org/errata.php>, I'm not > confident enough to do it. Yes, but one of the Authors of RFC5155 has responded on this mailing list, first we must talk about it before posting errata. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1srR4ACgkQkDLqNwOhpPh0dQCcCHV1+/O7mAF0WZAlaxogSxNN 4Y0An0OipQ7n4Dex/DsTdt1MgIVYtaRa =/S9R -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
