[prev in list] [next in list] [prev in thread] [next in thread]
List: unbound-users
Subject: Re: [Unbound-users] Strange validation errors for proofs of non-existence in .com, .net,
From: Ondrej Mikle <ondrej.mikle () nic ! cz>
Date: 2013-01-03 13:08:12
Message-ID: 50E582BC.1070306 () nic ! cz
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 01/03/2013 09:01 AM, W.C.A. Wijngaards wrote:
> On 01/02/2013 06:31 PM, Ondrej Mikle wrote:
>
>>> The machine at 193.29.206.206 that sets the AD flag for optout
>>> NSEC3 NXDOMAIN fails to implement RFC5155.
>
>> I've just asked admins today and the 193.29.206.206 machine runs
>> unbound 1.4.6-1 from Ubuntu Lucid.
>
> So, it is a bug in an older version of unbound, which has already been
> fixed (ii)? Ah yes, in 1.4.7 there is this bugfix: Abide RFC5155
> section 9.2: no AD flag for replies with NSEC3 optout.
Thanks, this is likely the reason I remember the validation "working". I went
through some of older recorded scans of .com from May and the .com NSEC3s were
'insecure' back then, too. I'd guess it will be the same with .net TLD.
Ondrej
["signature.asc" (application/pgp-signature)]
_______________________________________________
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic