[Dnsmasq-discuss] Testers wanted: DNSSEC.

Simon Kelley simon at thekelleys.org.uk
Thu Feb 6 11:10:26 GMT 2014

On 06/02/14 08:15, Jan-Piet Mens wrote:
>>> 1. I am getting different results on two subsequent identical queries
>>> WRT RRSIG record and AD flag.
>> The second answer comes from the cache, and the D0 bit is not set in
>> the query, so the answer doesn't have the AD  flag or RRSIG, if you
>> add "+dnssec" to the dig command you should see both in replies from
>> the cache,
> I'm seeing the same that Matthias noted: the second response from
> dnsmasq doesn't have the +AD bit set.
> FWIW, Unbound and BIND9 both respond with +AD when I query them
> consecutively with `dig +ad'.
> Adding +dnssec to the flags upon querying dnsmasq works.


+dnssec (DO bit set in query) - return RRSIGs _and_ AD bit set if data 
is secure.

+ad   (AD bit set in query) - don't return RRSIGS but do set AD bit if 
data is secure.

That seems to be the behaviour of the Google public server too. Does 
anyone have a reference to the RFC which specifies this behaviour?



More information about the Dnsmasq-discuss mailing list