[DNSSEC] Validating resolver which is also authoritative: no AD bit set
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Jan 23 13:48:23 UTC 2009
I configure a BIND 9.5.0 P2 which is both a DNSSEC-validating resolver
and an authoritative server.
With proper trust anchors, it DNSSEC-validates domains like iis.se or
sources.org and sets the AD bit in the answers to 'dig +dnssec XXX
iis.se'.
Except for one domain, generic-nic.net, for which this BIND is
authoritative: here, I get the right answer but without the AD bit.
If I delete this domain from the list of zones served by this BIND, I
get the AD bit again.
Is it normal? Should the client be happy with just the AA bit?
More information about the bind-users
mailing list