In my (limited) experience, the server only responds with the AD bit set which it can validate the DNSSEC records on the domain. As there is no root key in the DNS now, this means you must configure trust anchors on your recursive nameserver.
My question would be: is your recursive DNS server actually able to validate the DNSSEC records? If you operate the server, you should be able to examine the dnssec logs and determine if the nameserver is able to validate the DNSSEC records. -- Bind9 (8.04) not returning 'ad' flag when dnssec is enabled https://bugs.launchpad.net/bugs/242956 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
