-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jia Li,
Could it be that you are using a version before 1.4.9, there is a fix listed: Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout, in unbound 1.4.9. Best regards, Wouter On 07/07/2011 08:16 AM, Jia Li wrote: > > > when I use Unbound as validator to test opt-out NSEC3, I found that > in "wildcard expansion" case, Unbound response with no AD flags, while > in "wildcard no data" case, Unbound response with AD flags. Is this a > inconsistency? According to rfc 5155 "9.2. Use of the AD bit", AD bit > must not be set when response containing NSEC3 RR that covers the "next > closer" name has opt-out bit set. > > So maybe in both two cases Unbound should not set AD bit? > > "wildcard expansion" case query has result as follows: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65187 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;b.wild.optout.example. IN A > > ;; ANSWER SECTION: > b.wild.optout.example. 300 IN A 10.0.0.6 > b.wild.optout.example. 300 IN RRSIG A 7 3 300 20110806020105 > 20110707020105 54458 optout.example. > Epk2nJ16+JzMZOHVF0qa+65OxttM8pE25l3u+oLoWpPaGgF6udZmJfhU > rw8LThrwYhb5JSxCo4jN7Z7LQa9+sVaWbXzKWD5uCbRcnHajV3bCF1vZ F1b0ZZcIfRLj2vOB > > ;; AUTHORITY SECTION: > optout.example. 300 IN NS ns.optout.example. > optout.example. 300 IN RRSIG NS 7 2 300 20110806020105 > 20110707020105 54458 optout.example. > HTWJ3lVz7+ksF3P/XEj+13JANSofH82mTQnEjBJghKl4NlxwofcB0L2q > t468pfUHZFoZ/eQawhCHgJvppPUY3lXmOCMHD6YwwDklnYE5HcaLYnOP LxJK7Xr842o0BXb4 > M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN NSEC3 1 1 10 - > QVSNM823Q1GIK9CRGG58TK9AOLCR0DC2 > M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 > 20110806020105 20110707020105 54458 optout.example. > VplQeqb2QF71ZYLBR97H5uyzxuALj1NKcLXtDjFEjOlUjSIohyX3UXZ3 > HIqkYm/HhsQ/HyeNHGH4hiCqOYjJnfgxlU67kfwhfr4qrkTYeBDxjTN+ nqJtA39H2YyE/0nt > > ;; ADDITIONAL SECTION: > ns.optout.example. 300 IN A 10.53.0.3 > ns.optout.example. 300 IN RRSIG A 7 3 300 20110806020105 > 20110707020105 54458 optout.example. > cTk09mW73DrFu7LNgt0aMV8E3fgrBLuqADWEbb+ZaygfYJYWNF4Y+q+O > 3iHgR6CBmW1soMGobwS8xSgNMTEMtPPKWUtnpESqsCRm48ryA+3+F46R mn2BPmgLF7G6E3Hg > > > > "wildcard no data" case as follows: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59596 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;b.wild.optout.example. IN AAAA > > ;; AUTHORITY SECTION: > M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN NSEC3 1 1 10 - > QVSNM823Q1GIK9CRGG58TK9AOLCR0DC2 > M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 > 20110806020105 20110707020105 54458 optout.example. > VplQeqb2QF71ZYLBR97H5uyzxuALj1NKcLXtDjFEjOlUjSIohyX3UXZ3 > HIqkYm/HhsQ/HyeNHGH4hiCqOYjJnfgxlU67kfwhfr4qrkTYeBDxjTN+ nqJtA39H2YyE/0nt > EJ0VQS7A2RURJ4K5QLMURRQQGIG667KK.optout.example. 3600 IN NSEC3 1 1 10 - > F1B8R8H9UMD9OS8NH6I63TOO0K39AB11 A RRSIG > EJ0VQS7A2RURJ4K5QLMURRQQGIG667KK.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 > 20110806020105 20110707020105 54458 optout.example. > AH+FOkZQXf91/tIXbRAuyO98uG3a5kC4A4o7kwzK1XV2PInh6mQD2MsY > FkmrRU99EHkrsx8nMCq2p7oq2e2wHmwr7lOD+NrH0CO6QYUjs0TnT83n XLXpcXgn8QdkJ2GS > optout.example. 300 IN SOA mname1. . 2000042407 20 20 > 1814400 3600 > optout.example. 300 IN RRSIG SOA 7 2 300 20110806020105 > 20110707020105 54458 optout.example. > w/NZwX4wbCUhX9+oS8AetzARxIYN6JlD5RATXQtHRiG3hnlGAQmf0kcu > YmE1VHtPZP99X+kCH6h+CG23Thesy29EdnHKyoAmymyeKRoOtrkC/I9h oPPx4ppfWwsIQ8hS > > > 2011-07-07 > ------------------------------------------------------------------------ > Jia Li > > > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOFdChAAoJEJ9vHC1+BF+N8e8P/RkIPlaKSvyP/f2+dCOtctnw GgH2J2ruq6YY2W2xQ2V3/jA571Q/eaHJGnuHuGxf2HbbO4Ya7E4sgq84RtUheVxi yAybIIz1SzMG9puFsUwg9nMzkdN0h6rndDeAlmFpmiqYK1/hxG83pzlEiPIByaPr d5j1sHrY4DCo86ndwWo10dPd5ev/WChGdgD2Y8CNf3zT0o9cG/RqjAgOaZ3vZwiG HYjkiC33GHLdeeKdP59il4kfwI13ouMiK7FOnFIhr79RsdlydDQlGvnr+pIz89Gb icGBZENNtJfAx4GP1RqBFVMZ4UbnIt/Tb6gK+F0LlKbTIrNcI/gkhlAnECBonWAK 50rWHLsmBnimZK1EojBDhDtHr5g/uyTWB99+EAh2kMWUeMrUvDjBXk4ZVFD76gEp IMqxx+okPbAAD1SbuCuIuVnZQGuIrzywFHNc3KIqLIxfa9xJyT0+MIb/QUszC0/v gRZ0Up5t6wAlw0/Pz3gwR+C68/fyfDSOIuG6BUhwmaOU3jRXQBvzGYqq21BGq9fK AOlZGTbuivtHJq2Gh9yd3W/bdtWpkd6Bn/WP9aYIv/sdVxaxbvTf8Eqsa4QkujoO PhaaxYqZv+amKo1hcVLOummIiD+8nT5DRnTrb2wRdeqBeRu4qjvBWOWyG0M1f6rb yeVD2hc6ExVh5sY11CH1 =sYs6 -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
