[Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

Pieter Lexis pieter.lexis at powerdns.com
Fri May 20 07:58:55 UTC 2016

Hi Leen and Michael,

On Fri, 20 May 2016 09:31:31 +0200
Leen Besselink <leen at consolejunkie.net> wrote:
> I forgot to mention, when you query a recursor, the recursor can also indicate that the response is DNSSEC-validated, you need to look at the AD-bit.

For completeness, the recursor follows RFC 6840[1] ยง5.7 pretty strict (in a DNSSEC mode). This means that a +AD bit in the query will trigger validation in process mode. When the AD bit is not set in the query, the recursor will not answer with the AD bit set, even when the data is validated (in validation mode).

The DO bit in the query is interpreted as 'give me DNSSEC records', this means that the recursor will return NSEC(3) and RRSIG records in the response. But if there is no AD bit set, no validation will take place.

Best regards,


1 - https://tools.ietf.org/html/rfc6840

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list