authoritative return CD?

Evan Hunt each at
Thu Oct 3 18:43:39 UTC 2019

On Thu, Oct 03, 2019 at 08:25:44AM -0500, reed at wrote:
> Why does named authoritative return CD in response when CD in query?

At a guess, because it does so for recursive responses and no one ever
thought to special-case authoritative responses.

That code was added along with all the rest of the DNSSEC-bis work
in BIND 9.3.0 in 2004, and I haven't found any documentation of that
particular design decision; I suspect it was just an oversight.

Do you know of any interoperational problems this causes?

> I didn't confirm, but I think this is related to 
> DNS_MESSAGE_REPLYPRESERVE and 4534.  [bug] Only set RD, RA and CD in 
> QUERY responses. [RT #43879]

Yes and no, respectively. The CD bit was copied before change #4534; the
difference was that it was copied in all responses, not just QUERY
responses. The specific misbehavior with authoritative responses
wasn't introduced then.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-workers mailing list