Trying again on SERVFAIL
he at uninett.no
Thu Feb 11 16:44:20 UTC 2021
> Yeah, by the time it lands on Debian's glibc we'll have grown a long
> long beard. I'm still missing RES_TRUSTAD...
Oh, this set me off on a tangent. I hadn't heard of RES_TRUSTAD
before, so I found
which under "trust-ad" contains this text:
If the trust-ad option is active, the stub resolver
sets the AD bit in outgoing DNS queries (to enable AD
bit support), [...]
I could not get that to rhyme with what I had perceived to be the
semantics of the AD bit, so I looked up RFC 4035 where near the
end of section 3 (just before 3.1), I find this text:
The AD bit is controlled by name servers; a security-aware
name server MUST ignore the setting of the AD bit in queries.
So ... I can't get the glibc behaviour to mesh with the standard
on this particular point.
More information about the bind-users