dig query

[Evan Hunt]

> I don't see specific reference to using the AD flag in queries in the
> RFCs (at least on a cursory glance), but it's a very useful feature.

We're kind of flying under the RFC's radar, as I understand it.  The RFC
says the server must ignore the AD flag in a query.  What we do, though,
is clear the AD flag when answering if the signatures don't validate, but
*leave it alone* if they do.  So if you did happen to set the AD flag, and
the answer validated, then it would still be set when you got your response.

I don't know of any RFC that expressly describes this usage (though I may
have missed one), but in any case it's not forbidden, and it's useful, so...

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.