querylog format

Michael Sinatra michael at rancid.berkeley.edu
Tue Jun 7 03:41:03 UTC 2011

On 6/6/11 8:09 PM, Jeff Peng wrote:
> Hello,
> The querylog of BIND in my hosts is like:
> client query: s18.mhxx.game.yy.com IN A -EDC
> For the last part, I know the '-' means non-recursion,'E' means EDNS.
> But what are the 'D' and 'C' flags?

D = DO (DNSSEC Okay), client is requesting DNSSEC records and AD bit set 
if server is doing validation and can validate the zone

C = CD (Checking Disabled), client does not want the server to do 
validation on the response, but to return it regardless.

Although setting both flags sounds contradictory, it makes some sense 
where a validating forwarding resolver wants to do its own validation 
and enforce its own policy for dealing with valid/insecure/bogus zones.


More information about the bind-users mailing list