Greetings again. While doing some testing, I came across something that
is both consistent across implementations but that I do not find in RFC
4033, 4034, or 4035. If a query for a properly-signed zone is sent to
BIND-as-recursor, Unbound, or Google DNS, and the AD bit in the request
is set to 1, the answer returned has the AD bit set to 1. However, if
the query has the AD bit set to 0, the response always has the AD bit
set to 0, even though the requested zone is properly signed.
This happens regardless of whether or not there is an EDNS0 extension
with the DO bit set to 1.
I can't find anywhere in 403[3:5] that says that the AD bit in the
request means anything. Did I miss that? Or is it specified in a
different RFC?
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop