[Dnsmasq-discuss] Testers wanted: DNSSEC.

Simon Kelley simon at thekelleys.org.uk
Thu Feb 6 18:17:06 GMT 2014

On 06/02/14 08:15, Jan-Piet Mens wrote:
>>> 1. I am getting different results on two subsequent identical queries
>>> WRT RRSIG record and AD flag.
>> The second answer comes from the cache, and the D0 bit is not set in
>> the query, so the answer doesn't have the AD  flag or RRSIG, if you
>> add "+dnssec" to the dig command you should see both in replies from
>> the cache,
> I'm seeing the same that Matthias noted: the second response from
> dnsmasq doesn't have the +AD bit set.
> FWIW, Unbound and BIND9 both respond with +AD when I query them
> consecutively with `dig +ad'.
> Adding +dnssec to the flags upon querying dnsmasq works.
>          -JP

Answering my previous question, this behaviour is specified in RFC 6840 
para 5.7. Code changes to implement it are in git now.



More information about the Dnsmasq-discuss mailing list