dig query

Michael Sinatra michael at rancid.berkeley.edu
Wed Jan 6 20:18:58 UTC 2010


On 1/6/10 7:10 AM, Alan Clegg wrote:
> Tony Finch wrote:
>> On Wed, 6 Jan 2010, Pamela Rock wrote:
>>> Does that imply that +adflag sets the ad bit on the query and the
>>> response where +dnssec only sets the ad bit on the responce?
>>
>> The AD flag is meaningless in a query. In a response it tells you whether
>> the server is authoritative or not. It has nothing to do with DNSSEC.
>
> Actually, BIND implements something a bit different..
>
> If a query is sent with the AD bit set, the the flag is NOT reset if the
> upstream server succeeds in validating the data, even if the DO bit is
> not set.  If the data is not authenticated, the AD bit is reset in the
> response.
>
> This allows one to send a query to a BIND server that proves data to be
> validated (set AD on query, watch for AD on response) without having all
> of the DNSSEC related data (signatures, etc) in the response packet.

I tried this out and I noticed that both BIND and unbound appear to 
behave the same way when using dig in this manner.  So both of the major 
validating implementations support it.  I don't see specific reference 
to using the AD flag in queries in the RFCs (at least on a cursory 
glance), but it's a very useful feature.

michael



More information about the bind-users mailing list