RFC 3655 (rfc3655) - Page 2 of 8
Redefinition of DNS Authenticated Data (AD) bit
Alternative Format: Original Text Document
RFC 3655 Redefinition of DNS AD bit November 2003
recursive query can now use the value of the AD bit to determine
whether the data is secure.
1.1. Motivation
A full DNSSEC capable resolver called directly from an application
can return to the application the security status of the RRsets in
the answer. However, most applications use a limited stub resolver
that relies on an external recursive name server which incorporates a
full resolver. The recursive nameserver can use the AD bit in a
response to indicate the security status of the data in the answer,
and the local resolver can pass this information to the application.
The application in this context can be either a human using a DNS
tool or a software application.
The AD bit SHOULD be used by the local resolver if and only if it has
been explicitly configured to trust the remote resolver. The AD bit
SHOULD be ignored when the recursive name server is not trusted.
An alternate solution would be to embed a full DNSSEC resolver into
every application, but this has several disadvantages.
- DNSSEC validation is both CPU and network intensive, and caching
SHOULD be used whenever possible.
- DNSSEC requires non-trivial configuration - the root key must be
configured, as well as keys for any "islands of security" that
will exist until DNSSEC is fully deployed. The number of
configuration points should be minimized.
1.2. Requirements
The key words "MAY", "MAY NOT" "MUST", "MUST NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", in this document are to be interpreted as
described in BCP 14, RFC 2119 [RFC 2119].
1.3. Updated documents and sections
The definition of the AD bit in RFC 2535, Section 6.1, is changed.
2. Setting of AD bit
The presence of the CD (Checking Disabled) bit in a query does not
affect the setting of the AD bit in the response. If the CD bit is
set, the server will not perform checking, but SHOULD still set the
AD bit if the data has already been cryptographically verified or
Wellington & Gudmundsson Standards Track