-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/01/2011 12:52 AM, David Blacka wrote: > > On Feb 28, 2011, at 11:07 AM, W.C.A. Wijngaards wrote: > >> Example B.1 in RFC5155 is wrong, and it should be changed to have the >> optout flag removed from the nextcloser NSEC3 >> (0p9mhaveqvm6t7vbl5lop2u3t2rp3tom). >> >> (with the optout flag set, the example is insecure, and also the >> wildcard denial has to be removed). > > Where in 5155 does it say that the NXDOMAIN proof is different in the opt-out > case? My memory (and a quick search through 5155) is that only the insecure > referral proof is different with Opt-Out. > > AFAICT example B.1 is correct. The examples don't show the AD bit status > (they are showing the responses from the authoritative server), but I thought > section 9.2 was clear enough. But it is confusing: The RFC 5155 also shows example responses with NSEC3 that matches the QNAME also don't have the AD bit set. These records don't provide closest encloser proofs, as far as I understand. As a result, examples, B.2, B.2.1 and B.6 should have set the AD bit. Best regards, Matthijs > > -- > David Blacka <[email protected]> > Principal Engineer Verisign Platform Product Development > > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNbMNNAAoJEA8yVCPsQCW50/oH/1h0mFNo8ztpdqOW87oVxmoC +4ZhmN3I5y6BzjsQ1CkY0JO8OaDmrLoC250CBfVWqj0lmgExpCZnAjznt4QteDUt 7hx7403YqdIfZdCT/iGEvRvu5afo0QASKJA/ChPGx8jyT7Kug6H0OF1GlBMT1bF6 ESfADoGtt8ClHxPrvJLGNqZ5fN4yD4yARoQAdHIYNDm3LIHAJlTVbMG3/6cvDrCB N+dVl9+F0hMM45wWaIjxALy9fq3zmXefNkz78Vd7w2XMdiaug/EKdIhboOAlligY i2cefgM9n929Ak9SzRmGK5N4naqajYOn0h65nPQE13213FztVwhszMuM5ZgqgLQ= =gEOS -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
