Tony Finch wrote: > On Wed, 6 Jan 2010, Pamela Rock wrote: >> Does that imply that +adflag sets the ad bit on the query and the >> response where +dnssec only sets the ad bit on the responce? > > The AD flag is meaningless in a query. In a response it tells you whether > the server is authoritative or not. It has nothing to do with DNSSEC.
Actually, BIND implements something a bit different.. If a query is sent with the AD bit set, the the flag is NOT reset if the upstream server succeeds in validating the data, even if the DO bit is not set. If the data is not authenticated, the AD bit is reset in the response. This allows one to send a query to a BIND server that proves data to be validated (set AD on query, watch for AD on response) without having all of the DNSSEC related data (signatures, etc) in the response packet. AlanC _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users