On Wed, Feb 26, 2014 at 06:41:33PM +0100, Petr Spacek wrote:
> Could you elaborate on reasons for setting AD=1, please?
With "DO=1", applications that only care about the AD bit in the
reply also receive unwanted "RRSIG" records.
Setting "AD=1" may however require a new request option bit, since
RES_USE_DNSSEC sets "DO=1". I am not sure whether it would be
right to always send "AD=1" when all the nameservers are trusted
and believed to support validation. Perhaps that's OK, but it may
be prudent to only do this when specifically requested.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
