> Yeah, by the time it lands on Debian's glibc we'll have grown a long
> long beard.  I'm still missing RES_TRUSTAD...

Oh, this set me off on a tangent.  I hadn't heard of RES_TRUSTAD
before, so I found

  https://man7.org/linux/man-pages/man5/resolv.conf.5.html

which under "trust-ad" contains this text:

          If the trust-ad option is active, the stub resolver
          sets the AD bit in outgoing DNS queries (to enable AD
          bit support), [...]

I could not get that to rhyme with what I had perceived to be the
semantics of the AD bit, so I looked up RFC 4035 where near the
end of section 3 (just before 3.1), I find this text:

   The AD bit is controlled by name servers; a security-aware
   name server MUST ignore the setting of the AD bit in queries.

So ... I can't get the glibc behaviour to mesh with the standard
on this particular point.

Regards,

- Håvard
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to