You are correct. Normal stub resolvers on desktop clients or mobile devices only see the AD flag (or SERVFAIL when validation fails). They will only get all the additional DNSSEC record types if they used the +dnssec option in dig (which sets the DO bit in the outbound query).
On Tue, Apr 11, 2023 at 3:12 PM Bob Harold <rharo...@umich.edu> wrote: > I was in the process of setting up a test server with DNSSEC signed > domains, and asking users to point at the test server to see if the larger > packets affected their application, when I realized I might be wrong. > DNS Resolvers will get bigger responses from DNS Authoritative servers > because of DNSSEC signatures. But clients, running stub resolvers, will > likely set the +AD flag and expect the DNS Resolver to validate, but the > client will get a response that does not include any DNSSEC records. Is > that correct? > > So I only need to worry about increased packet sizes between DNS Resolvers > and DNS Authoritative servers? > > (Granted, the actual answer size to the client could be large enough to > cause fall-back to TCP, but that is not because of DNSSEC.) > > -- > Bob Harold > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
