Trying again on SERVFAIL

Havard Eidnes he at uninett.no
Thu Feb 11 16:44:20 UTC 2021


> Yeah, by the time it lands on Debian's glibc we'll have grown a long
> long beard.  I'm still missing RES_TRUSTAD...

Oh, this set me off on a tangent.  I hadn't heard of RES_TRUSTAD
before, so I found

  https://man7.org/linux/man-pages/man5/resolv.conf.5.html

which under "trust-ad" contains this text:

          If the trust-ad option is active, the stub resolver
          sets the AD bit in outgoing DNS queries (to enable AD
	  bit support), [...]

I could not get that to rhyme with what I had perceived to be the
semantics of the AD bit, so I looked up RFC 4035 where near the
end of section 3 (just before 3.1), I find this text:

   The AD bit is controlled by name servers; a security-aware
   name server MUST ignore the setting of the AD bit in queries.

So ... I can't get the glibc behaviour to mesh with the standard
on this particular point.

Regards,

- Håvard


More information about the bind-users mailing list