Connected: An Internet Encyclopedia
6.1 The AD and CD Header Bits

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 6. The AD and CD Bits and How to Resolve Securely
Prev: 6. The AD and CD Bits and How to Resolve Securely
Next: 6.2 Boot File Format

6.1 The AD and CD Header Bits

6.1 The AD and CD Header Bits

Two previously unused bits are allocated out of the DNS query/response format header. The AD (authentic data) bit indicates in a response that the data included has been verified by the server providing it. The CD (checking disabled) bit indicates in a query that non-verified data is acceptable to the resolver sending the query.

These bits are allocated from the must-be-zero Z field as follows:

                                          1  1  1  1  1  1
            0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
          |                      ID                       |
          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
          |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
          |                    QDCOUNT                    |
          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
          |                    ANCOUNT                    |
          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
          |                    NSCOUNT                    |
          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
          |                    ARCOUNT                    |
          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

These bits are zero in old servers and resolvers. Thus the responses of old servers are not flagged as authenticated to security aware resolvers and queries from non-security aware resolvers do not assert the checking disabled bit and thus will be answered by security aware servers only with authenticated data. Aware resolvers MUST not trust the AD bit unless they trust the server they are talking to and either have a secure path to it or use DNS transaction security.

Any security aware resolver willing to do cryptography SHOULD assert the CD bit on all queries to reduce DNS latency time by allowing security aware servers to answer before they have resolved the validity of data.

Security aware servers NEVER return Bad data. For non-security aware resolvers or security aware resolvers requesting service by having the CD bit clear, security aware servers MUST return only Authenticated or Insecure data with the AD bit set in the response. Security aware resolvers will know that if data is Insecure versus Authentic by the absence of SIG RRs. Security aware servers MAY return Pending data to security aware resolvers requesting the service by clearing the AD bit in the response. The AD bit MUST NOT be set on a response unless all of the RRs in the response are either Authenticated or Insecure.


Next: 6.2 Boot File Format

Connected: An Internet Encyclopedia
6.1 The AD and CD Header Bits