On 7 aug 2008, at 15.05, Wouter Wijngaards wrote: > You are using an older version of Bind9 I think; since this was > considered bad behaviour by Bind, and fixed in recent releases. > It was fixed because some legacy boxes (adsl I think) did not like > getting AD bits in their replies and crash or hang on it. correct (and I was the one that found the bug) - some crappy NAT-boxes dropped DNS answers with AD set. > If you just want to get an AD bit in the reply if its secure, set > the AD > bit in the query to signal that you are ready and able to receive > the AD > bit in the reply. > > That means getting your stub resolver to set 'AD' in queries. > > This has just been documented in the lastest dnssec-bis-updates > draft in > the IETF dnsext working group. yes, this is way to go. jakob