In my (limited) experience, the server only responds with the AD bit set which it can validate the DNSSEC records on the domain. As there is no root key in the DNS now, this means you must configure trust anchors on your recursive nameserver.
My question would be: is your recursive DNS server actually able to validate the DNSSEC records? If you operate the server, you should be able to examine the dnssec logs and determine if the nameserver is able to validate the DNSSEC records. -- Bind9 (8.04) not returning 'ad' flag when dnssec is enabled https://bugs.launchpad.net/bugs/242956 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
