Tom <[email protected]> wrote: > > I've enabled deep log-debugging in BIND 9.12.2-P1 (resolver) for DNSSEC > purposes and was wondering, why my resolver received a "authenticated data" > answer from one of the authoritative server for "org." (199.19.57.1), while > the response has the TC (truncated) flag set too:
The relevant spec is RFC 3655 section 2, which doesn't say what to do if the response is truncated. A reasonable implementation strategy is to build a complete response, then truncate it if required. (This is not as wasteful as it sounds because an authoritative server might have pre-compiled all possible responses.) It's plausible not to have a special case to clear AD after truncation if the response ends up empty, and it's allowed because every record is authenticated (there just happen to be zero records). https://tools.ietf.org/html/rfc3655#section-2 Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Southeast Iceland: Cyclonic 4 or 5, becoming southeasterly 6 to gale 8, veering southwesterly 7 to severe gale 9, perhaps storm 10 later. Very rough, becoming high or very high. Rain then squally showers. Moderate or poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
