-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
So I looked at it some more. It seems to me that the optout example zone creates some issues in RFC5155 appendix B; it should note that the optout NSEC3s mean the answer does not get the AD flag, (or not use optout). We need to follow section 9.2. The issue is broader than you notice, it also affects the other uses of NSEC3 as next-closer with optout set. Those become securely-insecure(no AD flag) too. This means example B.1 (nxdomain) and B.4 (wildcard). I think unbound should implement this. And the errata (the shortest one) is that example B.1 and B.4 have no ADflag from the validator; or if 'the AD flag is left unspecified in the examples' as David says, no errata is necessary. Best regards, Wouter On 03/01/2011 10:58 AM, Matthijs Mekking wrote: > > > On 03/01/2011 12:52 AM, David Blacka wrote: > >> On Feb 28, 2011, at 11:07 AM, W.C.A. Wijngaards wrote: > >>> Example B.1 in RFC5155 is wrong, and it should be changed to have the >>> optout flag removed from the nextcloser NSEC3 >>> (0p9mhaveqvm6t7vbl5lop2u3t2rp3tom). >>> >>> (with the optout flag set, the example is insecure, and also the >>> wildcard denial has to be removed). > >> Where in 5155 does it say that the NXDOMAIN proof is different in the >> opt-out case? My memory (and a quick search through 5155) is that only the >> insecure referral proof is different with Opt-Out. > >> AFAICT example B.1 is correct. The examples don't show the AD bit status >> (they are showing the responses from the authoritative server), but I >> thought section 9.2 was clear enough. > > But it is confusing: > > The RFC 5155 also shows example responses with NSEC3 that matches the > QNAME also don't have the AD bit set. These records don't provide > closest encloser proofs, as far as I understand. As a result, examples, > B.2, B.2.1 and B.6 should have set the AD bit. > > Best regards, > > Matthijs > > > >> -- >> David Blacka <[email protected]> >> Principal Engineer Verisign Platform Product Development > > >> _______________________________________________ >> Unbound-users mailing list >> [email protected] >> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1s6mAACgkQkDLqNwOhpPiwMwCfc68bhswtnLCsfnfISQ6di0+j oJMAoJyEvoJHa3sBDDUN6q8dxSTGyc0q =/ygk -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
