When does BIND send queries with DO flag enabled?

[Taylor, Gord]

We recently ran into an intermittent problem sending queries to a
business partner. Turns out they had CheckPoint firewalls with
SmartDefense turned of for DNS traffic. This was blocking traffic going
to them with DO flag enabled. I could duplicate the problem from a
command line by issuing "dig @partner hostname +DNSSEC" and this failed
everytime. When querying through the DNS server though using NSLOOKUP on
WinXP, the resolution was hit-and-miss. Watching a sniffer trace,
sometimes BIND 9.4.1-P1 would send with DO flag enabled, and other times
without.

I know this is an older version of BIND, and lots of bugs fixed in newer
versions. However, looking at sniffer traces from 9.7.0-P2 shows the
same behavior = sometimes DO is set and sometimes not set.

Can someone explain when BIND sets DO flag and when it won't? Most of my
client workstations are XPSP3, and NONE of the queries coming from those
clients have DO flag set.

Any help is appreciated...

Gord Taylor (CISSP, GCIH, GEEK)


_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.

Ce courriel peut contenir des renseignements protégés et confidentiels.
L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent.
Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu’il contient
par une personne autre que le destinataire désigné est interdite.
Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement, 
par retour de courriel ou par un autre moyen.