when I use Unbound as validator to test opt-out NSEC3, I found that in “wildcard expansion” case, Unbound response with no AD flags, while in “wildcard no data” case, Unbound response with AD flags. Is this a inconsistency? According to rfc 5155 “9.2. Use of the AD bit”, AD bit must not be set when response containing NSEC3 RR that covers the “next closer” name has opt-out bit set.
So maybe in both two cases Unbound should not set AD bit?
“wildcard expansion” case query has result as follows:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65187
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;b.wild.optout.example. IN A
;; ANSWER SECTION:
b.wild.optout.example. 300 IN A 10.0.0.6
b.wild.optout.example. 300 IN RRSIG A 7 3 300 20110806020105 20110707020105 54458 optout.example. Epk2nJ16+JzMZOHVF0qa+65OxttM8pE25l3u+oLoWpPaGgF6udZmJfhU rw8LThrwYhb5JSxCo4jN7Z7LQa9+sVaWbXzKWD5uCbRcnHajV3bCF1vZ F1b0ZZcIfRLj2vOB
;; AUTHORITY SECTION:
optout.example. 300 IN NS ns.optout.example.
optout.example. 300 IN RRSIG NS 7 2 300 20110806020105 20110707020105 54458 optout.example. HTWJ3lVz7+ksF3P/XEj+13JANSofH82mTQnEjBJghKl4NlxwofcB0L2q t468pfUHZFoZ/eQawhCHgJvppPUY3lXmOCMHD6YwwDklnYE5HcaLYnOP LxJK7Xr842o0BXb4
M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN NSEC3 1 1 10 - QVSNM823Q1GIK9CRGG58TK9AOLCR0DC2
M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 20110806020105 20110707020105 54458 optout.example. VplQeqb2QF71ZYLBR97H5uyzxuALj1NKcLXtDjFEjOlUjSIohyX3UXZ3 HIqkYm/HhsQ/HyeNHGH4hiCqOYjJnfgxlU67kfwhfr4qrkTYeBDxjTN+ nqJtA39H2YyE/0nt
;; ADDITIONAL SECTION:
ns.optout.example. 300 IN A 10.53.0.3
ns.optout.example. 300 IN RRSIG A 7 3 300 20110806020105 20110707020105 54458 optout.example. cTk09mW73DrFu7LNgt0aMV8E3fgrBLuqADWEbb+ZaygfYJYWNF4Y+q+O 3iHgR6CBmW1soMGobwS8xSgNMTEMtPPKWUtnpESqsCRm48ryA+3+F46R mn2BPmgLF7G6E3Hg
“wildcard no data” case as follows:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59596
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;b.wild.optout.example. IN AAAA
;; AUTHORITY SECTION:
M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN NSEC3 1 1 10 - QVSNM823Q1GIK9CRGG58TK9AOLCR0DC2
M4GQOHDDG61QJPFKMEQHRL8IPV8I63E4.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 20110806020105 20110707020105 54458 optout.example. VplQeqb2QF71ZYLBR97H5uyzxuALj1NKcLXtDjFEjOlUjSIohyX3UXZ3 HIqkYm/HhsQ/HyeNHGH4hiCqOYjJnfgxlU67kfwhfr4qrkTYeBDxjTN+ nqJtA39H2YyE/0nt
EJ0VQS7A2RURJ4K5QLMURRQQGIG667KK.optout.example. 3600 IN NSEC3 1 1 10 - F1B8R8H9UMD9OS8NH6I63TOO0K39AB11 A RRSIG
EJ0VQS7A2RURJ4K5QLMURRQQGIG667KK.optout.example. 3600 IN RRSIG NSEC3 7 3 3600 20110806020105 20110707020105 54458 optout.example. AH+FOkZQXf91/tIXbRAuyO98uG3a5kC4A4o7kwzK1XV2PInh6mQD2MsY FkmrRU99EHkrsx8nMCq2p7oq2e2wHmwr7lOD+NrH0CO6QYUjs0TnT83n XLXpcXgn8QdkJ2GS
optout.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600
optout.example. 300 IN RRSIG SOA 7 2 300 20110806020105 20110707020105 54458 optout.example. w/NZwX4wbCUhX9+oS8AetzARxIYN6JlD5RATXQtHRiG3hnlGAQmf0kcu YmE1VHtPZP99X+kCH6h+CG23Thesy29EdnHKyoAmymyeKRoOtrkC/I9h oPPx4ppfWwsIQ8hS
2011-07-07