Vladimír,

This change came to my attention because it triggered one of our functional tests.  I don't know of any standard setups that break due to this.  Our internal discussion here seems to be leaning toward the same conclusion you guys came to.

Thanks very much for the help!
John-Paul

On Mon, Nov 14, 2016 at 3:38 PM, Vladimír Čunát <vladimir.cunat@nic.cz> wrote:
Hello John-Paul.

On 11/14/2016 07:36 PM, John-Paul Gignac wrote:
I'm an engineer at Dyn and I work on the same team as Matthijs Mekking.

I noticed that commit 3f950e1d (https://gitlab.labs.nic.cz/labs/knot/commit/3f950e1d3f323b0ebbd339de29f8c8b4568706ad) changes the handling of the CD bit in responses.  The test code comments indicate that this is in accordance with https://tools.ietf.org/html/rfc4035#section-3.1.6, but my reading is that it contradicts section 3 of the same RFC.  I was wondering if somebody could explain the history or the thinking behind this change.

 I remember the thinking behind this commit (we discussed it internally). 3.1.6 states in particular:

A security-aware name server SHOULD clear the CD bit when composing an authoritative response.

I personally believe the (apparent) contradiction is due to AD and CD flags not being "meant for" authoritative(-only) servers, so the introduction of the section 3 doesn't account for that case and 3.1.6 explains the exception later.

These bits are for the most part not relevant to query processing by security-aware authoritative name servers.

I suppose the overall formulation could be better; the situation is further muddled by bind not clearing the CD flag even if in authoritative-only mode (according to our tests). Do you know about some (standard) setups that break due to this change?

--Vladimir