Confused: The AD bit according to RFC2535.

[Roy Arends]

Hello,

I've a little trouble understanding the value of the AD bit in a response.

According to RFC2535:

1. In section 6.1 it states: 
   "The AD (authentic data) bit indicates in a response that all the data
    included in the answer and authority portion of the response has been
    authenticated by the server according to the policies of that server."

The definition of authenticated data:

2. In section 6. it states:
   "Authenticated means that the data has a valid SIG under a KEY 
    traceable via a chain of zero or more SIG and KEY RRs allowed by the
    resolvers policies to a KEY staticly configured at the resolver."

But is seems to contradict with the following statement in:

3. In section 6.1 last paragraph:
   "For non-security aware resolvers or security aware resolvers
    requesting service by having the CD bit clear, security aware servers
    MUST return only Authenticated or Insecure data in the answer and
    authority sections with the AD bit set in the response."

And also with the statement in:

4. Appendix B: part 9:
   "The AD bit only indicates that the answer and authority sections of
    the response are authoritative."

In short:

1 and 2 looks like the AD bit is indicating that the returned data is
cryptographically checked.

3 and 4 looks like the AD bit is indicating that the returned data is
either cryptographically secure or is data from an insecure zone.

TIA, regards,

Roy Arends
-- 
roy at nlnetlabs.nl                NLnetLabs
tel +31208884551                Kruislaan 419
|\ ||   _  _|_  |   _ |_  _     1098 VA  Amsterdam
| \||__| )(-|_  |__(_||_)_)     The Netherlands