Bit
Click on the red underlined text to get to the source
... AD (Authenticated Data)
bit indicates in a response that all data included in the answer and
authority sections of the response have been authenticated ...
... security policy.
This document redefines the AD bit such that it is only set if all
data in the response has been cryptographically verified or otherwise
meets the server's local security policy ...
...
recursive query can now use the value of the AD bit to determine
whether the data is secure.
...
... name server which incorporates a
full resolver. The recursive nameserver can use the AD bit in a
response to indicate the security status of the data in the answer,
...
... tool or a software application.
The AD bit SHOULD be used by the local resolver if and only if it has
been explicitly configured to trust the remote resolver. The AD bit ...
... AD bit SHOULD be used by the local resolver if and only if it has
been explicitly configured to trust the remote resolver. The AD bit
SHOULD be ignored when the recursive name server is not trusted.
...
...
The definition of the AD bit in RFC 2535(-> 4035prop | 4034prop | 4033prop), Section 6.1, is changed.
...
... Setting of AD bit ...
... The presence of the CD (Checking Disabled) bit in a query does not
affect the setting of the AD bit ...
... bit in a query does not
affect the setting of the AD bit in the response. If the CD bit is
set, the server will not perform checking, but SHOULD still set the
...
... query does not
affect the setting of the AD bit in the response. If the CD bit is
set, the server will not perform checking, but SHOULD still set the
AD bit ...
... CD bit is
set, the server will not perform checking, but SHOULD still set the
AD bit if the data has already been cryptographically verified or
complies with local policy. The AD bit ...
... AD bit if the data has already been cryptographically verified or
complies with local policy. The AD bit MUST only be set if DNSSEC
records have been requested via the DO bit ...
... AD bit MUST only be set if DNSSEC
records have been requested via the DO bit [RFC3225] and relevant SIG
...
... Setting of AD bit by recursive servers ...
... 2535(-> 4035prop | 4034prop | 4033prop) says:
"The AD bit MUST NOT be set on a response unless all of the RRs in
the answer and authority ...
... The replacement text reads:
"The AD bit MUST NOT be set on a response unless all of the RRsets in
the answer and authority sections of the response are Authenticated ...
... Authenticated."
"The AD bit SHOULD be set if and only if all RRs in the answer
section and any relevant negative response RRs ...
... A recursive DNS server following this modified specification will
only set the AD bit when it has cryptographically verified the data
in the answer.
...
... Setting of AD bit by authoritative servers ...
... Authenticated
unless the zone was transferred securely and/or the data was
verified. An authoritative server MUST only set the AD bit for
authoritative answers from a secure zone if it has been explicitly
...
... configured to do so. The default for this behavior SHOULD be off.
Note that having the AD bit clear on an authoritative answer is
normal and expected behavior.
...
... Justification for setting AD bit w/o verifying data ...
...
The setting of the AD bit by authoritative servers affects only the
small set of resolvers that are configured to directly query and
...
... trust authoritative servers. This only affects servers that function
as both recursive and authoritative. Iterative resolvers SHOULD
ignore the AD bit.
The cost of verifying all signatures ...
... Interpretation of the AD bit ...
... A response containing data marked Insecure in the answer or authority
section MUST never have the AD bit set. In this case, the resolver
SHOULD treat the data as Insecure whether or not SIG records are
...
...
A resolver MUST NOT blindly trust the AD bit unless it communicates
with a recursive nameserver over a secure transport mechanism ...
...
The AD bit is intended to allow the transmission of the indication
that a resolver has verified the DNSSEC signatures accompanying the
...
... DNSSEC signatures accompanying the
records in the Answer and Authority section. The AD bit MUST only be
trusted when the end consumer of the DNS data has confidence that the
...
... trusted when the end consumer of the DNS data has confidence that the
intermediary resolver setting the AD bit is trustworthy. This can
only be accomplished via an out of band mechanism such as:
...
... nameserver is trustworthy.
In the absence of one or more of these factors AD bit from a
recursive name server SHOULD NOT be trusted. For example, home users
...
... nameservers available, running one locally is RECOMMENDED. This has
the advantage that it can be trusted, and the AD bit can still be
used to allow applications to use stub resolvers.
...
...
This document redefines a bit in the DNS header. If a resolver
trusts the value of the AD bit ...
... bit in the DNS header. If a resolver
trusts the value of the AD bit, it must be sure that the responder is
using the updated definition, which is any DNS server ...
... using the updated definition, which is any DNS server/resolver
supporting the DO bit [RFC3225].
...
... RFC3225].
Authoritative servers can be explicitly configured to set the AD bit
on answers without doing cryptographic checks. This behavior MUST be
...
...
Resolvers (full or stub) that blindly trust the AD bit without
knowing the security policy of the server generating the answer can
...
...
A resolver MUST NOT blindly trust the AD bit unless it communicates
such as IPsec, or using message authentication ...