Flags?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon May 30 18:11:38 UTC 2016


On Mon, May 30, 2016 at 09:18:59AM +0200, W.C.A. Wijngaards wrote:

> If secure and bogus are both not set, the message is 'insecure', i.e. it
> was not dnssec signed.

Also SERVFAIL, FORMERR, NOTIMP, ... are neither secure not insecure.
DNSSEC Security status only applies to a response RRset or denial
of existence of that RRset.

The only response codes for which the secure/insecure distinction
applies are:

    NOERROR
    NXDOMAIN
    NODATA (NOERROR + ANCOUNT = 0)

All other error codes don't distinguish between signed and unsigned
zones, all we know is that the lookup failed (misconfiguration,
DoS, MiTM, ...).

This is important in opportunistic DANE TLS, see:

    https://tools.ietf.org/html/rfc7672#section-2.1

There I make the case that non-bogus NOERROR, NODATA and NXDOMAIN
are not errors, while bogus responses and all other response codes
are lookup errors.

-- 
	Viktor.



More information about the Unbound-users mailing list