dig query
Alan Clegg
aclegg at isc.org
Wed Jan 6 15:10:05 UTC 2010
Tony Finch wrote:
> On Wed, 6 Jan 2010, Pamela Rock wrote:
>> Does that imply that +adflag sets the ad bit on the query and the
>> response where +dnssec only sets the ad bit on the responce?
>
> The AD flag is meaningless in a query. In a response it tells you whether
> the server is authoritative or not. It has nothing to do with DNSSEC.
Actually, BIND implements something a bit different..
If a query is sent with the AD bit set, the the flag is NOT reset if the
upstream server succeeds in validating the data, even if the DO bit is
not set. If the data is not authenticated, the AD bit is reset in the
response.
This allows one to send a query to a BIND server that proves data to be
validated (set AD on query, watch for AD on response) without having all
of the DNSSEC related data (signatures, etc) in the response packet.
AlanC
More information about the bind-users
mailing list