[dnssec-deployment] some observations about .SE's DNSSEC
Mark_Andrews at isc.org
Wed Sep 26 03:32:17 EDT 2007
> On 26 sep 2007, at 00.12, <Mats.Dufberg at teliasonera.com> wrote:
> > Crappy or not, we have also discovered that Bind 9.4.1-P1 (which is
> > the
> > most recent version of Bind) does not follow the standards
> > correctly. It
> > returns the ad flag set even if the do flag was not set in the query.
> > And it was the ad flag that the broadband routers reacted against.
> > Bind
> > 9.3 does not seem to have that error.
> RFC 3655 (november 2003) states:
> "The AD bit MUST only be set if DNSSEC records have been requested via
> the DO bit [RFC3225] and relevant SIG records are returned."
> so BIND 9.4 is obviously doing the wrong thing here.
No. It's just in a slight time warp :-)
AD w/o DO was legal at one point. This make those routers
broken as well.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the Dnssec-deployment