I run a DoH and DoT resolver with dnsdist. The backend resolvers validate (I can test them with dig and see the AD bit.) But dnsdist returns the AD bit to the client only when the client uses the DO bit. (Unlike, for instance, Unbound, or Cloudflare's 1.1.1.1, which always return AD if the domain validates, regardless of DO.)
Is it on purpose? I don't see why. RFC 6840 mentions this behavior only for the case when the *client* uses the AD bit. _______________________________________________ dnsdist mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/dnsdist
