[Dnsmasq-discuss] Testers wanted: DNSSEC.
Simon Kelley
simon at thekelleys.org.uk
Thu Feb 6 11:10:26 GMT 2014
On 06/02/14 08:15, Jan-Piet Mens wrote:
>>> 1. I am getting different results on two subsequent identical queries
>>> WRT RRSIG record and AD flag.
>
>> The second answer comes from the cache, and the D0 bit is not set in
>> the query, so the answer doesn't have the AD flag or RRSIG, if you
>> add "+dnssec" to the dig command you should see both in replies from
>> the cache,
>
> I'm seeing the same that Matthias noted: the second response from
> dnsmasq doesn't have the +AD bit set.
>
> FWIW, Unbound and BIND9 both respond with +AD when I query them
> consecutively with `dig +ad'.
>
> Adding +dnssec to the flags upon querying dnsmasq works.
>
So
+dnssec (DO bit set in query) - return RRSIGs _and_ AD bit set if data
is secure.
+ad (AD bit set in query) - don't return RRSIGS but do set AD bit if
data is secure.
That seems to be the behaviour of the Google public server too. Does
anyone have a reference to the RFC which specifies this behaviour?
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list