[Bug 242956] Re: Bind9 (8.04) not returning 'ad' flag when dnssec is enabled
buecking at gmail.com
Thu Jul 3 03:11:50 BST 2008
Thanks for your response.
> What you're seeing here is that the AD bit was redefined here:
That is why options edns0 is defined, so that the client is forced to
ask for the AD bit. Who do you suggest I talk to about this?
Bryan Buecking http://www.starling-software.com
On Wed, Jul 02, 2008 at 12:06:46PM -0000, LaMont Jones wrote:
> 9.4.2 rc1 introduced the following change:
> 2249. [bug] Only set Authentic Data bit if client requested DNSSEC, per RFC 3655 [RT #17175]
> ** Changed in: bind9 (Ubuntu)
> Assignee: (unassigned) => LaMont Jones (lamont)
> Status: New => Invalid
> Bind9 (8.04) not returning 'ad' flag when dnssec is enabled
> You received this bug notification because you are a direct subscriber
> of the bug.
> Status in “bind9” source package in Ubuntu: Invalid
> Bug description:
> Binary package hint: bind9
> % lsb_release -rd
> Description: Ubuntu 8.04
> Release: 8.04
> % apt-cache policy bind9
> Installed: 1:9.4.2-10
> Candidate: 1:9.4.2-10
> Version table:
> *** 1:9.4.2-10 0
> 500 http://ubuntu-ashisuto.ubuntulinux.jp hardy/main Packages
> 100 /var/lib/dpkg/status
> % cat /etc/resolv.conf
> nameserver 127.0.0.1
> options edns0
> When running dig against dns server w/DNSSEC enabled it is expected that
> named should return the ad flag for authenticated records; however, this
> system is not returning the correct response. If I query asking for
> +dnssec the ad flag is properly returned - as expected.
> Without the ad flag I am not able to use ssh VerifyHostKeyDNS.
> I have two systems with identical named configs. System A is a NetBSD
> machine running Bind 9.4.2 built against OpenSSL 0.9.8d 28 Sep 2006, and
> System B Ubuntu 8.04 running Bind 9.4.2 built against OpenSSL 0.9.8g 19
> Oct 2007.
> If I dig @system-a foo.example.com A the ad flag is return; but as I
> mentioned above if I dig @system-b foo.example.com A the ad flag is not
> returned even though the configurations are exactly the same.
> When quering for an SSHFP record both servers, a and b, return the same
> SSHFP record in the results.
Bind9 (8.04) not returning 'ad' flag when dnssec is enabled
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in ubuntu.
More information about the Ubuntu-server-bugs