blank.gif (43 bytes)

Church Of The
Swimming Elephant

6.1 The AD and CD Header Bits Connected: An Internet Encyclopedia
6.1 The AD and CD Header Bits

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 6. The AD and CD Bits and How to Resolve Securely
Prev: 6. The AD and CD Bits and How to Resolve Securely
Next: 6.2 Boot File Format

6.1 The AD and CD Header Bits

6.1 The AD and CD Header Bits

Two previously unused bits are allocated out of the DNS query/response format header. The AD (authentic data) bit indicates in a response that the data included has been verified by the server providing it. The CD (checking disabled) bit indicates in a query that non-verified data is acceptable to the resolver sending the query.

These bits are allocated from the must-be-zero Z field as follows:

                                          1  1  1  1  1  1
            0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
          |                      ID                       |
          |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
          |                    QDCOUNT                    |
          |                    ANCOUNT                    |
          |                    NSCOUNT                    |
          |                    ARCOUNT                    |

These bits are zero in old servers and resolvers. Thus the responses of old servers are not flagged as authenticated to security aware resolvers and queries from non-security aware resolvers do not assert the checking disabled bit and thus will be answered by security aware servers only with authenticated data. Aware resolvers MUST not trust the AD bit unless they trust the server they are talking to and either have a secure path to it or use DNS transaction security.

Any security aware resolver willing to do cryptography SHOULD assert the CD bit on all queries to reduce DNS latency time by allowing security aware servers to answer before they have resolved the validity of data.

Security aware servers NEVER return Bad data. For non-security aware resolvers or security aware resolvers requesting service by having the CD bit clear, security aware servers MUST return only Authenticated or Insecure data with the AD bit set in the response. Security aware resolvers will know that if data is Insecure versus Authentic by the absence of SIG RRs. Security aware servers MAY return Pending data to security aware resolvers requesting the service by clearing the AD bit in the response. The AD bit MUST NOT be set on a response unless all of the RRs in the response are either Authenticated or Insecure.

Next: 6.2 Boot File Format

Connected: An Internet Encyclopedia
6.1 The AD and CD Header Bits


Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!

Service Details

Have you gone to church today?
All pages ©1999, 2000, 2001, 2002, 2003 Church of the Swimming Elephant unless otherwise stated
Church of the Swimming Elephant©1999, 2000, 2001, 2002, 2003 is a wholly owned subsidiary of Packetderm, LLC.

Packetderm, LLC
210 Park Ave #308
Worcester, MA 01609