## page was renamed from DNSSEC/cdflag = DNSSEC/cdflag = DNSSEC and Google’s Public DNS Service 9 Apr 2013 in DNS by Geoff Huston http://labs.apnic.net/?p=316 Unbound: https://www.unbound.net/pipermail/unbound-users/2016-March/004272.html ---- こんな説明で分かるのだろうか。 {{{ +[no]cdflag Set [do not set] the CD (checking disabled) bit in the query.     This requests the server to not perform DNSSEC validation of responses. }}} すでにキャッシュされている項目はすべて無視するのだろうか。 特にvalidation failした項目、これらはどう扱われているのだろう。 DNSSEC RFCを精読するつもりはない。 -- ToshinoriMaeno <> 初期のDNSSECには: http://www.freesoft.org/CIE/RFC/2065/40.htm {{{ The CD (checking disabled) bit indicates in a query that non-verified data is acceptable to the resolver sending the query. }}} These bits are zero in old servers and resolvers. Security aware servers NEVER return Bad data. For non-security aware resolvers or security aware resolvers requesting service by having the CD bit clear, security aware servers MUST return only Authenticated or Insecure data with the AD bit set in the response. Security aware resolvers will know that if data is Insecure versus Authentic by the absence of SIG RRs. Security aware servers MAY return Pending data to security aware resolvers requesting the service by clearing the AD bit in the response. The AD bit MUST NOT be set on a response unless all of the RRs in the response are either Authenticated or Insecure.