It seems there is currently no way to set the AD bit in DNS queries?
(Through the API, we can only control RD, CD and DO bits.)
--- Begin Message ---
Does anyone know of any iterative resolvers one is likely to run into on
some ISP's network, hotel, or WiFi hotspot that will choke on queries
with AD=1, per:
https://tools.ietf.org/html/rfc6840#section-5.7
FWIW, "dig" sets AD=1 by default, and I've never seen a need to use
"+noad" to get the upstream resolver to respond correctly. But perhaps
I've just not tested in the "wrong" places.
Is there a way to leverage RIPE ATLAS to look for AD=1 (in queries)
intolerance?
The reason I ask, is that the MUSL libc stub resolver has no support for
EDNS and so no DO=1, but Postfix DANE support still needs to see the AD
bit from the local resolver, which is not sent when there's no AD=1 in
the query.
My instinct is that it is now safe to just always send AD=1 in queries,
which would partly resolve the issue, but if that is liable to break
lookups via some extant resolvers, then AD=1 would need to be
configurable via options in /etc/resolv.conf or similar.
--
Viktor.
___
dns-operations mailing list
dns-operati...@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--- End Message ---
