[dnsdist] DNSSEC validation result
Stephane Bortzmeyer
bortzmeyer at nic.fr
Sat Feb 29 12:55:55 UTC 2020
I run a DoH and DoT resolver with dnsdist. The backend resolvers
validate (I can test them with dig and see the AD bit.) But dnsdist
returns the AD bit to the client only when the client uses the DO
bit. (Unlike, for instance, Unbound, or Cloudflare's 1.1.1.1, which
always return AD if the domain validates, regardless of DO.)
Is it on purpose? I don't see why.
RFC 6840 mentions this behavior only for the case when the *client*
uses the AD bit.
More information about the dnsdist
mailing list