[dns-operations] Added a DO+CD test to genreport and a number of the root servers fail.

Mark Andrews marka at isc.org
Wed Jun 13 17:58:45 UTC 2018


RFC 4035 is self inconsistent.

   DNSSEC allocates two new bits in the DNS message header: the CD
   (Checking Disabled) bit and the AD (Authentic Data) bit.  The CD bit
   is controlled by resolvers; a security-aware name server MUST copy
   the CD bit from a query into the corresponding response.  The AD bit
   is controlled by name servers; a security-aware name server MUST
   ignore the setting of the AD bit in queries.  See Sections 3.1.6,
   3.2.2, 3.2.3, 4, and 4.9 for details on the behavior of these bits.

You have a MUST copy and a SHOULD clear.

> On 14 Jun 2018, at 12:56 am, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> 
> 
> 
> Am 13.06.2018 um 15:21 schrieb Mark Andrews:
>> According to RFC 4035 CD is supposed to be copied to the reply.
> 
> Only for resolvers, not for authoritative name servers:
> 
> 3.1.6.  The AD and CD Bits in an Authoritative Response
> ...
>   A security-aware name server does not perform signature validation
>   for authoritative data during query processing, even when the CD bit
>   is clear.  A security-aware name server SHOULD clear the CD bit when
>   composing an authoritative response.
> 
> regards
> Klaus
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list