[dns-operations] Added a DO+CD test to genreport and a number of the root servers fail.

Ray Bellis ray at isc.org
Wed Jun 13 15:30:48 UTC 2018


On 13/06/2018 15:56, Klaus Darilion wrote:

> Only for resolvers, not for authoritative name servers:
> 
> 3.1.6.  The AD and CD Bits in an Authoritative Response
> ...
>    A security-aware name server does not perform signature validation
>    for authoritative data during query processing, even when the CD bit
>    is clear.  A security-aware name server SHOULD clear the CD bit when
>    composing an authoritative response.

albeit still unclear about what it means by an "authoritative response".

I think it just means one not containing "data obtained via recursion"
as opposed to one that has the AA bit set.

Ray



More information about the dns-operations mailing list