-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Lewis wrote: > At 1:28 +0100 3/27/09, Holger Zuleger wrote: > >> So why doesn't an authoritative name server set the AD bit on answers >> to queries with the DO flag set? > > Good question. Perhaps the authoritative server does not have DNSSEC > enabled? > > (BIND specific - in recent versions of BIND, since Feb 2007, if > dnssec-enabled is not yes, it doesn't do DNSSEC processing.) >
I would say that AA=1 already gives you more information than AD would; you can't really get more authenticated than being authoritative for the data (from a sender's point of view). So setting it or not wouldn't add any information. Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknMf+gACgkQ4nZCKsdOncVWSACfRoVu2QBy5UlmRf/bIGWdocmI wyIAoLinx0yHJNs+VreNafyZ9F2/tOaQ =UDOT -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
