14 Lis
2016
14 Lis
'16
19:36
I'm an engineer at Dyn and I work on the same team as Matthijs Mekking.
I noticed that commit 3f950e1d (
https://gitlab.labs.nic.cz/labs/knot/commit/3f950e1d3f323b0ebbd339de29f8c8b…)
changes the handling of the CD bit in responses. The test code comments
indicate that this is in accordance with
https://tools.ietf.org/html/rfc4035#section-3.1.6, but my reading is that
it contradicts section 3 of the same RFC. I was wondering if somebody
could explain the history or the thinking behind this change.
Thanks in advance!
John-Paul Gignac
14 Lis
14 Lis
21:38
Hello John-Paul.
On 11/14/2016 07:36 PM, John-Paul Gignac wrote:
I'm an engineer at Dyn and I work on the same team
as Matthijs Mekking.
I noticed that commit 3f950e1d
(https://gitlab.labs.nic.cz/labs/knot/commit/3f950e1d3f323b0ebbd339de29f8c8b…)
changes the handling of the CD bit in responses. The test code
comments indicate that this is in accordance with
https://tools.ietf.org/html/rfc4035#section-3.1.6, but my reading is
that it contradicts section 3 of the same RFC. I was wondering if
somebody could explain the history or the thinking behind this change.
I remember the thinking behind this commit (we discussed it internally).
3.1.6 states in particular:
A security-aware name server SHOULD clear the CD bit
when composing an
authoritative response.
I personally believe the (apparent) contradiction is due to AD and CD
flags not being "meant for" authoritative(-only) servers, so the
introduction of the section 3 doesn't account for that case and 3.1.6
explains the exception later.
These bits are for the most part not relevant to query
processing by
security-aware authoritative name servers.
I suppose the overall formulation could be better; the situation is
further muddled by bind not clearing the CD flag even if in
authoritative-only mode (according to our tests). Do you know about some
(standard) setups that break due to this change?
--Vladimir
21:58
Vladimír,
This change came to my attention because it triggered one of our functional
tests. I don't know of any standard setups that break due to this. Our
internal discussion here seems to be leaning toward the same conclusion you
guys came to.
Thanks very much for the help!
John-Paul
On Mon, Nov 14, 2016 at 3:38 PM, Vladimír Čunát <vladimir.cunat(a)nic.cz>
wrote:
Hello John-Paul.
On 11/14/2016 07:36 PM, John-Paul Gignac wrote:
I'm an engineer at Dyn and I work on the same team as Matthijs Mekking.
I noticed that commit 3f950e1d (https://gitlab.labs.nic.cz/
labs/knot/commit/3f950e1d3f323b0ebbd339de29f8c8b4568706ad) changes the
handling of the CD bit in responses. The test code comments indicate that
this is in accordance with https://tools.ietf.org/html/
rfc4035#section-3.1.6, but my reading is that it contradicts section 3 of
the same RFC. I was wondering if somebody could explain the history or the
thinking behind this change.
I remember the thinking behind this commit (we discussed it internally).
3.1.6 states in particular:
A security-aware name server SHOULD clear the CD bit when composing an
authoritative response.
I personally believe the (apparent) contradiction is due to AD and CD
flags not being "meant for" authoritative(-only) servers, so the
introduction of the section 3 doesn't account for that case and 3.1.6
explains the exception later.
These bits are for the most part not relevant to query processing by
security-aware authoritative name servers.
I suppose the overall formulation could be better; the situation is
further muddled by bind not clearing the CD flag even if in
authoritative-only mode (according to our tests). Do you know about some
(standard) setups that break due to this change?
--Vladimir
3273
days inactive
3273
days old
2 comments
2 participants
participants (2)
-
John-Paul Gignac -
Vladimír Čunát