authoritative return CD?

reed at reed at
Thu Oct 3 13:25:44 UTC 2019

Why does named authoritative return CD in response when CD in query?

RFC4035 3.1.6/2 "A security-aware name server SHOULD clear the CD bit 
when composing an authoritative response."

I know it is not a MUST, but where is the decision documented for BIND 
named?  Is it simply for the client to know that the server knew it 
didn't check it?

I understand from same RFC that a recursive response would copy the CD 
back, but in the authoritative case I also get a "aa" back (with the 

I also read a nsd differences document that mentioned its behaviour was 

I didn't confirm, but I think this is related to 
DNS_MESSAGE_REPLYPRESERVE and 4534.  [bug] Only set RD, RA and CD in 
QUERY responses. [RT #43879]


Jeremy C. Reed

echo Ohl zl obbx uggc://errqzrqvn.arg/obbxf/csfrafr/ | \
 tr "Onoqrsuvxzabcefghl" "Babdefhikmnoprstuy"

More information about the bind-workers mailing list