Hi Leen and Michael, On Fri, 20 May 2016 09:31:31 +0200 Leen Besselink <[email protected]> wrote: > I forgot to mention, when you query a recursor, the recursor can also > indicate that the response is DNSSEC-validated, you need to look at the > AD-bit.
For completeness, the recursor follows RFC 6840[1] ยง5.7 pretty strict (in a DNSSEC mode). This means that a +AD bit in the query will trigger validation in process mode. When the AD bit is not set in the query, the recursor will not answer with the AD bit set, even when the data is validated (in validation mode). The DO bit in the query is interpreted as 'give me DNSSEC records', this means that the recursor will return NSEC(3) and RRSIG records in the response. But if there is no AD bit set, no validation will take place. Best regards, Pieter 1 - https://tools.ietf.org/html/rfc6840 -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
