14 Lis
2016
14 Lis
'16
21:38
Hello John-Paul.
On 11/14/2016 07:36 PM, John-Paul Gignac wrote:
I'm an engineer at Dyn and I work on the same team
as Matthijs Mekking.
I noticed that commit 3f950e1d
(https://gitlab.labs.nic.cz/labs/knot/commit/3f950e1d3f323b0ebbd339de29f8c8b…)
changes the handling of the CD bit in responses. The test code
comments indicate that this is in accordance with
https://tools.ietf.org/html/rfc4035#section-3.1.6, but my reading is
that it contradicts section 3 of the same RFC. I was wondering if
somebody could explain the history or the thinking behind this change.
I remember the thinking behind this commit (we discussed it internally).
3.1.6 states in particular:
A security-aware name server SHOULD clear the CD bit
when composing an
authoritative response.
I personally believe the (apparent) contradiction is due to AD and CD
flags not being "meant for" authoritative(-only) servers, so the
introduction of the section 3 doesn't account for that case and 3.1.6
explains the exception later.
These bits are for the most part not relevant to query
processing by
security-aware authoritative name servers.
I suppose the overall formulation could be better; the situation is
further muddled by bind not clearing the CD flag even if in
authoritative-only mode (according to our tests). Do you know about some
(standard) setups that break due to this change?
--Vladimir