Hi Viktor, On 30/05/16 20:11, Viktor Dukhovni via Unbound-users wrote: > On Mon, May 30, 2016 at 09:18:59AM +0200, W.C.A. Wijngaards wrote: > >> If secure and bogus are both not set, the message is 'insecure', i.e. it >> was not dnssec signed. > > Also SERVFAIL, FORMERR, NOTIMP, ... are neither secure not insecure. > DNSSEC Security status only applies to a response RRset or denial > of existence of that RRset. > > The only response codes for which the secure/insecure distinction > applies are: > > NOERROR > NXDOMAIN > NODATA (NOERROR + ANCOUNT = 0)
Libunbound exports the 'rcode' field that can be used for this (rcode==0 || rcode==3), it contains the RCODE of the return message. That could also be SERVFAIL, i.e. lookup error of some sort. Best regards, Wouter > > All other error codes don't distinguish between signed and unsigned > zones, all we know is that the lookup failed (misconfiguration, > DoS, MiTM, ...). > > This is important in opportunistic DANE TLS, see: > > https://tools.ietf.org/html/rfc7672#section-2.1 > > There I make the case that non-bogus NOERROR, NODATA and NXDOMAIN > are not errors, while bogus responses and all other response codes > are lookup errors. >
signature.asc
Description: OpenPGP digital signature
