I haven't found the dns64 draft yet, but was involved in the discussion in 2001 over the AD bit.
A bunch of people, in the past wrote this stuff:
> So AD doesn't mean "I validated this", but rather "I know this is > valid".
That is correct. The AD bit isn't a statement of how the server learned the information but an affirmation that the response meets the server's security metric.
That is a pretty large (and I believe unwarranted) leap in logic. There is a world of difference between "I am authoritative for this zone" and "I validated a response I got from an authoritative server and then glued stuff onto it."
Yeah, there is a large difference. But I don't see how this is germane. So long as the server is content that the data is valid, it gets the AD bit.
This question comes down to whether the AD bit is guaranteeing that the data is exactly the data that would be provided by the authority server, or whether it is merely a claim of trustworthiness. If it's the former, and one wants to argue for that, one will need a very strong argument about which parts of the DNSSEC RFCs prove as much.
It's the latter, merely a claim of trustworthiness according to the sender of the response. A DNSSEC signature provides "authenticity" back to the signer. The AD bit is set by the sender, not the signer. The AD bit is not protected by any RFC 4033-5 (DNSSEC III) mechanism, it is protected (if) by message integrity (TSIG) or underlying network security (eg VPN, IPSEC, your choice).
Just as DNSSEC does not guarantee correctness - the signer might sign an incorrectly typed AAAA record - the AD bit does not guarantee source authenticity.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
