Am 07.02.2014 09:45, schrieb Matthias Andree: > Am 07.02.2014 09:24, schrieb Simon Kelley: >> On 07/02/14 08:21, Jan-Piet Mens wrote: >>>> Answering my previous question, this behaviour is specified in RFC >>>> 6840 para 5.7. Code changes to implement it are in git now. >>> >>> Have they been comitted? ;-) No visible change here ... >> >> Ooops. Try now. >> >> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=e243c072b591cdeff8ac00483f5a9e426729534b >> >> > > I moved forward to test7, and now the FIRST query (the one shipping the > RRSIG and other additional stuff) lacks the AD flag, subsequent > responses carry it. > > Do I need to disable DNSSEC verification in the BIND that dnsmasq > forwards to to get useful test results?
No, I figured that I had forgotten an old /etc/resolv.conf in place, and the dnsmasq I am looking at was actually forwarding to a dnsmasq 2.59 compiled for Ubuntu 12.04LTS. With BIND or UNBOUND for a forwarder, the first response also carries the +AD, as it does for Jan-Piet. So scrap this report for now, we should check, however, if dnsmasq forwarding to a second instance of itself works properly. :) _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss