Also validate on +DO #4160

Merged
merged 4 commits into from Jul 14, 2016

Projects

None yet

2 participants

@pieterlexis
Member

For compatibility with older client applications

@Habbie Habbie and 1 other commented on an outdated diff Jul 13, 2016
docs/markdown/changelog.raw.md
@@ -1,5 +1,12 @@
**Note**: Beyond PowerDNS 2.9.20, the Authoritative Server and Recursor are released separately.
+# PowerDNS Recursor 4.0.1
+UNRELEASED
+
+## Bug fixes
+
+ - [#4160](https://github.com/PowerDNS/pdns/pull/4160) Also validate on +DO
@Habbie
Habbie Jul 13, 2016 Member

I don't think it's a bug fix ;)

@pieterlexis
pieterlexis Jul 13, 2016 Member

it fixes and interop bug imo :)

@Habbie
Habbie Jul 13, 2016 edited Member

let's call it an improvement, and maybe mention the interop issue specifically

@Habbie Habbie and 1 other commented on an outdated diff Jul 13, 2016
docs/markdown/recursor/dnssec.md
@@ -22,9 +22,11 @@ requested by the client.
## `process`
When `dnssec` is set to `process` the behaviour is similar to [`process-no-validate`](#process-no-validate).
-However, when the query has the AD-bit set, the recursor will try to validate the
-data and set the AD-bit in the response when the data is validated and send a
-SERVFAIL on a bogus answer.
+However, the recursor will try to validate the data and if either the DO or AD bit is set in the query, it will set the AD-bit in the response when the data is validated and send a SERVFAIL on a bogus answer.
@Habbie
Habbie Jul 13, 2016 Member

'will try to validate' - even when those bits are not set?

@pieterlexis
pieterlexis Jul 13, 2016 Member

and 'and' too many

@Habbie
Member
Habbie commented Jul 13, 2016

nits. rest LGTM.

@pieterlexis
Member

nits fixed

@Habbie Habbie commented on an outdated diff Jul 13, 2016
docs/markdown/changelog.raw.md
@@ -1,5 +1,16 @@
**Note**: Beyond PowerDNS 2.9.20, the Authoritative Server and Recursor are released separately.
+# PowerDNS Recursor 4.0.1
+UNRELEASED
+
+This release improve interoperability with DNSSEC clients that expect an AD-bit on validated data when they query with only the DO-bit set.
@Habbie
Habbie Jul 13, 2016 Member

improves

@Habbie Habbie commented on an outdated diff Jul 13, 2016
docs/markdown/recursor/dnssec.md
@@ -22,12 +22,14 @@ requested by the client.
## `process`
When `dnssec` is set to `process` the behaviour is similar to [`process-no-validate`](#process-no-validate).
-However, when the query has the AD-bit set, the recursor will try to validate the
-data and set the AD-bit in the response when the data is validated and send a
-SERVFAIL on a bogus answer.
+However, the recursor will try to validate the data if at least one of the DO or AD bit is set in the query, it will set the AD-bit in the response when the data is validated and send a SERVFAIL on a bogus answer.
@Habbie
Habbie Jul 13, 2016 Member

However, the recursor will try to validate the data if at least one of the DO or AD bits is set in the query; in that case, it will set the AD-bit in the response when the data is validated successfully, or send SERVFAIL when the validation comes up bogus.

@Habbie
Member
Habbie commented Jul 13, 2016

two more nits; then feel free to merge

@pieterlexis pieterlexis merged commit dc48cf2 into PowerDNS:master Jul 14, 2016

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
@pieterlexis pieterlexis deleted the pieterlexis:do-means-ad branch Jul 14, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment