Re: [knot-dns-users] Don't preserve CD flag?

Hello John-Paul. On 11/14/2016 07:36 PM, John-Paul Gignac wrote: I'm an engineer at Dyn and I work on the same team as Matthijs Mekking. I noticed that commit 3f950e1d (https://gitlab.labs.nic.cz/ labs/knot/commit/3f950e1d3f323b0ebbd339de29f8c8b4568706ad) changes the handling of the CD bit in responses. The test code comments indicate that this is in accordance with https://tools.ietf.org/html/ rfc4035#section-3.1.6, but my reading is that it contradicts section 3 of the same RFC. I was wondering if somebody could explain the history or the thinking behind this change. I remember the thinking behind this commit (we discussed it internally). 3.1.6 states in particular: A security-aware name server SHOULD clear the CD bit when composing an authoritative response. I personally believe the (apparent) contradiction is due to AD and CD flags not being "meant for" authoritative(-only) servers, so the introduction of the section 3 doesn't account for that case and 3.1.6 explains the exception later. These bits are for the most part not relevant to query processing by security-aware authoritative name servers. I suppose the overall formulation could be better; the situation is further muddled by bind not clearing the CD flag even if in authoritative-only mode (according to our tests). Do you know about some (standard) setups that break due to this change? --Vladimir