Hello John-Paul.

On 11/14/2016 07:36 PM, John-Paul Gignac wrote:

I'm an engineer at Dyn and I work on the same team as Matthijs Mekking.

I noticed that commit 3f950e1d (https://gitlab.labs.nic.cz/labs/knot/commit/3f950e1d3f323b0ebbd339de29f8c8b4568706ad) changes the handling of the CD bit in responses. The test code comments indicate that this is in accordance with https://tools.ietf.org/html/rfc4035#section-3.1.6, but my reading is that it contradicts section 3 of the same RFC. I was wondering if somebody could explain the history or the thinking behind this change.

I remember the thinking behind this commit (we discussed it internally). 3.1.6 states in particular:

A security-aware name server SHOULD clear the CD bit when composing an authoritative response.

I personally believe the (apparent) contradiction is due to AD and CD flags not being "meant for" authoritative(-only) servers, so the introduction of the section 3 doesn't account for that case and 3.1.6 explains the exception later.

These bits are for the most part not relevant to query processing by security-aware authoritative name servers.

I suppose the overall formulation could be better; the situation is further muddled by bind not clearing the CD flag even if in authoritative-only mode (according to our tests). Do you know about some (standard) setups that break due to this change?

--Vladimir