[Dnsmasq-discuss] Testers wanted: DNSSEC.
Simon Kelley
simon at thekelleys.org.uk
Thu Feb 6 18:17:06 GMT 2014
On 06/02/14 08:15, Jan-Piet Mens wrote:
>>> 1. I am getting different results on two subsequent identical queries
>>> WRT RRSIG record and AD flag.
>
>> The second answer comes from the cache, and the D0 bit is not set in
>> the query, so the answer doesn't have the AD flag or RRSIG, if you
>> add "+dnssec" to the dig command you should see both in replies from
>> the cache,
>
> I'm seeing the same that Matthias noted: the second response from
> dnsmasq doesn't have the +AD bit set.
>
> FWIW, Unbound and BIND9 both respond with +AD when I query them
> consecutively with `dig +ad'.
>
> Adding +dnssec to the flags upon querying dnsmasq works.
>
> -JP
Answering my previous question, this behaviour is specified in RFC 6840
para 5.7. Code changes to implement it are in git now.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list