DNSSEC debugging: TC and AD-Flag set?

Tony Finch dot at dotat.at
Mon Feb 25 11:29:03 UTC 2019

Tom <tomtux007 at gmail.com> wrote:
> I've enabled deep log-debugging in BIND 9.12.2-P1 (resolver) for DNSSEC
> purposes and was wondering, why my resolver received a "authenticated data"
> answer from one of the authoritative server for "org." (, while
> the response has the TC (truncated) flag set too:

The relevant spec is RFC 3655 section 2, which doesn't say what to do if
the response is truncated. A reasonable implementation strategy is to
build a complete response, then truncate it if required. (This is not as
wasteful as it sounds because an authoritative server might have
pre-compiled all possible responses.) It's plausible not to have a special
case to clear AD after truncation if the response ends up empty, and it's
allowed because every record is authenticated (there just happen to be
zero records).


f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Southeast Iceland: Cyclonic 4 or 5, becoming southeasterly 6 to gale 8,
veering southwesterly 7 to severe gale 9, perhaps storm 10 later. Very rough,
becoming high or very high. Rain then squally showers. Moderate or poor.

More information about the bind-users mailing list