[dns-operations] Added a DO+CD test to genreport and a number of the root servers fail.
Ray Bellis
ray at isc.org
Wed Jun 13 15:30:48 UTC 2018
On 13/06/2018 15:56, Klaus Darilion wrote:
> Only for resolvers, not for authoritative name servers:
>
> 3.1.6. The AD and CD Bits in an Authoritative Response
> ...
> A security-aware name server does not perform signature validation
> for authoritative data during query processing, even when the CD bit
> is clear. A security-aware name server SHOULD clear the CD bit when
> composing an authoritative response.
albeit still unclear about what it means by an "authoritative response".
I think it just means one not containing "data obtained via recursion"
as opposed to one that has the AA bit set.
Ray
More information about the dns-operations
mailing list