[Dnsmasq-discuss] Testers wanted: DNSSEC.
simon at thekelleys.org.uk
Thu Feb 6 18:17:06 GMT 2014
On 06/02/14 08:15, Jan-Piet Mens wrote:
>>> 1. I am getting different results on two subsequent identical queries
>>> WRT RRSIG record and AD flag.
>> The second answer comes from the cache, and the D0 bit is not set in
>> the query, so the answer doesn't have the AD flag or RRSIG, if you
>> add "+dnssec" to the dig command you should see both in replies from
>> the cache,
> I'm seeing the same that Matthias noted: the second response from
> dnsmasq doesn't have the +AD bit set.
> FWIW, Unbound and BIND9 both respond with +AD when I query them
> consecutively with `dig +ad'.
> Adding +dnssec to the flags upon querying dnsmasq works.
Answering my previous question, this behaviour is specified in RFC 6840
para 5.7. Code changes to implement it are in git now.
More information about the Dnsmasq-discuss