-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi David,
On 03/01/2011 04:11 PM, David Blacka wrote: >> According to section 9.2, unbound *isn't* correct -- if the covering NSEC3 >> RR has the opt-out bit set, you don't set AD. This doesn't change the proof >> -- you see the same NSEC3 RRs regardless. Yes >> No. There is no separate 'insecure' NXDOMAIN proof. The only response that >> is constructed differently due to the opt-out bit is the insecure referral >> (instead of a matching NSEC3, there is a closest encloser NSEC3 and a NSEC3 >> covering the next closer name which MUST have the opt-out bit set.) Yes, I was wrong about that in the email you quote. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1tHeAACgkQkDLqNwOhpPjjnQCfYcxPaLRhANeVP4w9UTF7Yi9t ob8AmwW49Fwo8FSQFVi4L62anzB8X9Jv =Cfeq -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
