[DNSOP] AD bit set by authoritative servers [was: Re: More solicitation for feedback on dns64]

Holger Zuleger Thu, 26 Mar 2009 17:29:20 -0700

Regarding the original thread, I fully support the opinion of Andrew and Edward. But regarding the AD bit discussion, I wondered if the following statement is true for authoritative name servers:


Edward Lewis wrote:

A bunch of people, in the past wrote this stuff:
 > So AD doesn't mean "I validated this", but rather "I know this is
 > valid".
That is correct. The AD bit isn't a statement of how the server learned the information but an affirmation that the response meets the server's security metric.

So why doesn't an authoritative name server set the AD bit on answers to queries with the DO flag set? For sure the autoritative server sets the AA bit, but it would be helpful for the stub resolver if it sets the AD bit also!


Best regards
 Holger

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] AD bit set by authoritative servers [was: Re: More solicitation for feedback on dns64]

Reply via email to