On 1/6/10 7:10 AM, Alan Clegg wrote:
Tony Finch wrote:
On Wed, 6 Jan 2010, Pamela Rock wrote:
Does that imply that +adflag sets the ad bit on the query and the
response where +dnssec only sets the ad bit on the responce?
The AD flag is meaningless in a query. In a response it tells you whether
the server is authoritative or not. It has nothing to do with DNSSEC.
Actually, BIND implements something a bit different..
If a query is sent with the AD bit set, the the flag is NOT reset if the
upstream server succeeds in validating the data, even if the DO bit is
not set. If the data is not authenticated, the AD bit is reset in the
response.
This allows one to send a query to a BIND server that proves data to be
validated (set AD on query, watch for AD on response) without having all
of the DNSSEC related data (signatures, etc) in the response packet.
I tried this out and I noticed that both BIND and unbound appear to
behave the same way when using dig in this manner. So both of the major
validating implementations support it. I don't see specific reference
to using the AD flag in queries in the RFCs (at least on a cursory
glance), but it's a very useful feature.
michael
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
