RFC 3655 (rfc3655) - Page 2 of 8

Redefinition of DNS Authenticated Data (AD) bit

Alternative Format: Original Text Document
< Previous
Next >
RFC 3655               Redefinition of DNS AD bit          November 2003


   recursive query can now use the value of the AD bit to determine
   whether the data is secure.

1.1.  Motivation

   A full DNSSEC capable resolver called directly from an application
   can return to the application the security status of the RRsets in
   the answer.  However, most applications use a limited stub resolver
   that relies on an external recursive name server which incorporates a
   full resolver.  The recursive nameserver can use the AD bit in a
   response to indicate the security status of the data in the answer,
   and the local resolver can pass this information to the application.
   The application in this context can be either a human using a DNS
   tool or a software application.

   The AD bit SHOULD be used by the local resolver if and only if it has
   been explicitly configured to trust the remote resolver.  The AD bit
   SHOULD be ignored when the recursive name server is not trusted.

   An alternate solution would be to embed a full DNSSEC resolver into
   every application, but this has several disadvantages.

   -  DNSSEC validation is both CPU and network intensive, and caching
      SHOULD be used whenever possible.

   -  DNSSEC requires non-trivial configuration - the root key must be
      configured, as well as keys for any "islands of security" that
      will exist until DNSSEC is fully deployed.  The number of
      configuration points should be minimized.

1.2.  Requirements

   The key words "MAY", "MAY NOT" "MUST", "MUST NOT", "SHOULD", "SHOULD
   NOT", "RECOMMENDED", in this document are to be interpreted as
   described in BCP 14, RFC 2119 [RFC 2119].

1.3.  Updated documents and sections

   The definition of the AD bit in RFC 2535, Section 6.1, is changed.

2.  Setting of AD bit

   The presence of the CD (Checking Disabled) bit in a query does not
   affect the setting of the AD bit in the response.  If the CD bit is
   set, the server will not perform checking, but SHOULD still set the
   AD bit if the data has already been cryptographically verified or





Wellington & Gudmundsson    Standards Track
< Previous
Next >