disable dnssec in bind resolver
Evan Hunt
each at isc.org
Sat Jun 5 06:07:35 UTC 2010
> The DO bit is always set whenever the server includes an EDNS OPT RR
> (I thought it was based on the specification, but don't remember which
> sentence of which RFC says so).
I was taken aback to read this, because I remembered seeing code in named
that clears the DO bit if "dnssec-enable" is "no":
if (!client->view->enablednssec) {
client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
[...]
}
Looking further, though, I see that Jinmei is correct. The above code
clears the DO bit in replies sent from an authoritative name server; it
doesn't apply to queries being sent by a resolver. Resolvers do indeed
set the DO bit unconditionally. Sorry for any confusion caused by my
earlier statement to the contrary.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list