Hi Leen, On Fri, 20 May 2016 10:08:51 +0200 [email protected] wrote:
> I've been wondering about this, I haven't tried the new recursor yet. > So to make it more clear: > If you enable DNSSEC-processing of the recursor and nothing is cached > and you request something without DO-bit set does it do > DNSSEC-processing or not ? In process-mode, the recursor always sends out queries with the DO-bit set (so this data is in the cache) and strips DNSSEC records in the reply to the client when the client does not set the DO-bit. And if the client does not set the AD-bit it will not validate, so it might return bogus data in process mode. In validation mode, it will return SERVFAIL for bogus data, even when the client does not ask for validation. -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
