On Fri, 17 Jul 2020, Jesper Wallin wrote: > To get a response with the AD flag set, the request itself also needs > to have the AD flag set.
... > -#define RES_DEFAULT (RES_RECURSE | RES_DEFNAMES | RES_DNSRCH) > +#define RES_DEFAULT (RES_RECURSE | RES_DEFNAMES | RES_DNSRCH | RES_USE_AD) Can you share some examples of "needs" AD flag set in combination with DO flag? It's not required to set the AD flag when the DO flag is already set. You can set the DO flag without AD flag also set and get AD flag set in the response. (As a brief explanation, if the validator already authenticated it, when setting the AD flag without the DO flag in the query, the validator can send back the AD without the RRSIG records.) (I don't have any argument with adding the feature and enabling it, but I am curious what specific example caused you to require it.)