DNSSEC debugging: TC and AD-Flag set?
Tony Finch
dot at dotat.at
Mon Feb 25 11:29:03 UTC 2019
Tom <tomtux007 at gmail.com> wrote:
>
> I've enabled deep log-debugging in BIND 9.12.2-P1 (resolver) for DNSSEC
> purposes and was wondering, why my resolver received a "authenticated data"
> answer from one of the authoritative server for "org." (199.19.57.1), while
> the response has the TC (truncated) flag set too:
The relevant spec is RFC 3655 section 2, which doesn't say what to do if
the response is truncated. A reasonable implementation strategy is to
build a complete response, then truncate it if required. (This is not as
wasteful as it sounds because an authoritative server might have
pre-compiled all possible responses.) It's plausible not to have a special
case to clear AD after truncation if the response ends up empty, and it's
allowed because every record is authenticated (there just happen to be
zero records).
https://tools.ietf.org/html/rfc3655#section-2
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Southeast Iceland: Cyclonic 4 or 5, becoming southeasterly 6 to gale 8,
veering southwesterly 7 to severe gale 9, perhaps storm 10 later. Very rough,
becoming high or very high. Rain then squally showers. Moderate or poor.
More information about the bind-users
mailing list