[DNSSEC] Validating resolver which is also authoritative: no AD bit set
Simon Vallet
svallet at genoscope.cns.fr
Fri Jan 23 13:59:45 UTC 2009
On Fri, 23 Jan 2009 14:48:23 +0100
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> I configure a BIND 9.5.0 P2 which is both a DNSSEC-validating resolver
> and an authoritative server.
>
> With proper trust anchors, it DNSSEC-validates domains like iis.se or
> sources.org and sets the AD bit in the answers to 'dig +dnssec XXX
> iis.se'.
>
> Except for one domain, generic-nic.net, for which this BIND is
> authoritative: here, I get the right answer but without the AD bit.
We ran into a similar problem a while back -- see there :
http://marc.info/?l=bind-users&m=117310800721413&w=2
> If I delete this domain from the list of zones served by this BIND, I
> get the AD bit again.
>
> Is it normal? Should the client be happy with just the AA bit?
Last time I checked they weren't, but things may have changed.
Simon
More information about the bind-users
mailing list