On 3 Aug 2012, at 02:25, "Marco Davids (SIDN)" <marco.davids at sidn.nl> wrote: > Dig 9.9.1 is setting the AD-bit in queries by default. > Does anyone know why? It means "I want the results of DNSSEC validation but not all the RRSIG and NSEC records I would get from DO=1." Tony. -- f.anthony.n.finch <dot at dotat.at> http://dotat.at/