Flags?

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue May 31 07:06:33 UTC 2016


Hi Viktor,

On 30/05/16 20:11, Viktor Dukhovni via Unbound-users wrote:
> On Mon, May 30, 2016 at 09:18:59AM +0200, W.C.A. Wijngaards wrote:
> 
>> If secure and bogus are both not set, the message is 'insecure', i.e. it
>> was not dnssec signed.
> 
> Also SERVFAIL, FORMERR, NOTIMP, ... are neither secure not insecure.
> DNSSEC Security status only applies to a response RRset or denial
> of existence of that RRset.
> 
> The only response codes for which the secure/insecure distinction
> applies are:
> 
>     NOERROR
>     NXDOMAIN
>     NODATA (NOERROR + ANCOUNT = 0)

Libunbound exports the 'rcode' field that can be used for this (rcode==0
|| rcode==3), it contains the RCODE of the return message.  That could
also be SERVFAIL, i.e. lookup error of some sort.

Best regards, Wouter

> 
> All other error codes don't distinguish between signed and unsigned
> zones, all we know is that the lookup failed (misconfiguration,
> DoS, MiTM, ...).
> 
> This is important in opportunistic DANE TLS, see:
> 
>     https://tools.ietf.org/html/rfc7672#section-2.1
> 
> There I make the case that non-bogus NOERROR, NODATA and NXDOMAIN
> are not errors, while bogus responses and all other response codes
> are lookup errors.
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20160531/ffc2703c/attachment.bin>


More information about the Unbound-users mailing list