[nsd-users] do bit
matthijs at NLnetLabs.nl
Tue Sep 20 10:21:32 CEST 2011
-----BEGIN PGP SIGNED MESSAGE-----
You are hitting something old. From the REQUIREMENTS of NSD:
+ If the DNSSEC OK bit (DO bit) is set then the query will be
processed as a DNSSEC request. Although RFC3225 does not
explicitly specify this NSD clears the DO bit in the answer.
This has been in there since version 1.0.1 :)
I believe that the scope RFC3255 is explicit for resolvers, and RFC 4034
is not clear about it what an authoritative server should do.
I know we made dnext-dnssec-bis-updates for this:
5.6. Setting the DO Bit on Replies
As stated in [RFC3225], the DO bit of the query MUST be copied in the
response. At least one implementation has done something different,
so it may be wise for resolvers to be liberal in what they accept.
Although I don't think we are violating with the RFCs, it is possible to
make NSD copy the DO bit, instead of clear it.
On 09/19/2011 02:52 PM, Miek Gieben wrote:
> I was playing around with some experimental code and I noticed
> that 'open.nlnetlabs.nl' does not set the DO bit in the reply, when
> it is set in the query, as is required per RFC 3225.
> % dig @open.nlnetlabs.nl +dnssec mx miek.nl | grep EDNS
> ; EDNS: version: 0, flags:; udp: 4096
> % dig @miek.nl +dnssec mx miek.nl | grep EDNS
> ; EDNS: version: 0, flags: do; udp: 4096
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the nsd-users