[dns-operations] validation problem on

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 3 11:28:48 UTC 2020

On Mon, Feb 03, 2020 at 07:19:16PM +0900, T.Suzuki wrote:

> Something strange...
> ~% dig soa nasa.gov @ +dnssec +noad
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

Yes, it seems that Cloudflare do not return the AD bit when it is not
requested, even when the DO bit is set.


   Section 3.2.3 of [RFC4035] describes under which conditions a
   validating resolver should set or clear the AD bit in a response.  In
   order to interoperate with legacy stub resolvers and middleboxes that
   neither understand nor ignore the AD bit, validating resolvers SHOULD
   only set the AD bit when a response both meets the conditions listed
   in Section 3.2.3 of [RFC4035], and the request contained either a set
   DO bit or a set AD bit.

And the other public resolvers to set the AD bit when only the DO bit
appears in the query, but is or "how wrong" is CF to not do this?

Is this causing an observable issue for some stub resolver that uses the
AD bit from a remote source like CF?  Is the stub resolver doing DoH or
DoT (and authenticating the remote cert chain) to secure the channel?

It would be interesting to know whether CF ran into some broken client
systems that needed AD off when not directly solicited, all the while
sending "DO"?


More information about the dns-operations mailing list