-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ondrej,
On 01/02/2013 06:31 PM, Ondrej Mikle wrote: > i) Something has changed in the com/net/org TLD with the NSEC3 > around 3 months back, probably by setting the opt-out bit on NSEC3 > records or creating more gaps with NSEC3 records that have the > opt-out bit set. I should have some old scan of .com TLD, but it'll > take me some time to retrieve it and compare the records. > > ii) Some old version of unbound does not handle this case and sets > the AD flag (see below). > > I am fairly sure that the com/net/org non-existent validation was > "working" 3-4 months ago, some other people I asked remember it > this way, too (I used it quite a lot for testing DNSSEC Validator > and other SW). I wrote "working" in quotes because I'm not 100% > sure if it was due to a change in the zones or a bug/missing > feature in unbound or bind. Though I think bind did validate the > nonexistent com/net/org domains as well back then. > >> The machine at 193.29.206.206 that sets the AD flag for optout >> NSEC3 NXDOMAIN fails to implement RFC5155. > > I've just asked admins today and the 193.29.206.206 machine runs > unbound 1.4.6-1 from Ubuntu Lucid. So, it is a bug in an older version of unbound, which has already been fixed (ii)? Ah yes, in 1.4.7 there is this bugfix: Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout. > Does anyone know since when do the com/net/org NSEC3s have the > opt-out bit set? The authority servers are not the problem here, the older version of unbound does not set the AD flag correctly for NXDOMAIN responses with optout. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ5TrUAAoJEJ9vHC1+BF+NAXIP/3ve1GrzZDZRfl8epqDAsl5u 7wQyUBL6xUmqW2h2kqaxmdiKgQITZ39pUJO9uYxFXaMjaDMO4XSkydL56II+vXp6 R0EeoWMpZMaySNJnKgs+o8jFiRNAIt4CIZgXzMLSCgLyTjZucHuF9hHlaMqv1CJ9 WMtvs/dKN/EvbnCBCqS/m+zSCOpovuxLua1zctExw+d9dbmJ18vBJVx5cP9gDPiV bln4DwaEGM3I5lcxD8b/aEZKs5s+eYNOLm1AD3i+To62NRtYIJkAWLVcp2znM8j2 h6ykPhdaSDP8m0SvJQWY6mZ2nnk1EgvILCzCZYUGpETSuLKAbdUlaZE1foMlxTqq 6av4poLMEc1ltcUnBn+oiprqk3Hu0VAMMdJmAGH/LnhThy/6usRupavaJi3FNWrm WpCKV6eMQPH5GGZmtUJJjshUGcRFC2KawnQBoRgE6UAPRZlY53le7qZvw4Wt26ck uDcckPZCwyAUiuFkts1fRq06Yl9okyQfeWbzbC+5H+SckCDFY1gWfGGqZZVNQZ9q Ub3cAeRCb6KoHU2TE27y7ofPGZp4XgS9VCiKtDf5t0MAaS9/S59OGOzvVPPa2Fjh mgPdzdEgfiIulk6MsQHIFVbkTslIKZl/YzgKm7Wceoo8E0mEMkfChqVhkNGECsR7 ym2OdL1jttQy1YW8TYSY =JTbF -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
