On 01/03/2013 09:01 AM, W.C.A. Wijngaards wrote: > On 01/02/2013 06:31 PM, Ondrej Mikle wrote: > >>> The machine at 193.29.206.206 that sets the AD flag for optout >>> NSEC3 NXDOMAIN fails to implement RFC5155. > >> I've just asked admins today and the 193.29.206.206 machine runs >> unbound 1.4.6-1 from Ubuntu Lucid. > > So, it is a bug in an older version of unbound, which has already been > fixed (ii)? Ah yes, in 1.4.7 there is this bugfix: Abide RFC5155 > section 9.2: no AD flag for replies with NSEC3 optout.
Thanks, this is likely the reason I remember the validation "working". I went through some of older recorded scans of .com from May and the .com NSEC3s were 'insecure' back then, too. I'd guess it will be the same with .net TLD. Ondrej
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
